LANL Engineering Standards Manual STD-342-100 Chapter 8 – I&C Section D3060.90 I&C Rev. 4, 9/29/2014 Page 1 of 51 TABLE OF CONTENTS INSTRUMENTATION AND CONTROL (I&C) (D3060.90 ) Note: Sections which are applicable to all SSCs including programmatic/R&D are followed by (P & F). 1.0 Application of this Chapter ............................................................................................................ 3 2.0 Acronyms and Definitions.............................................................................................................. 5 3.0 Codes and Standards (P&F) ........................................................................................................... 7 4.0 Design Documentation (P&F) ...................................................................................................... 11 5.0 Building Automation Systems ...................................................................................................... 13 6.0 Equipment Identification (P & F) ................................................................................................. 26 7.0 Environmental Qualification (P & F) ........................................................................................... 26 8.0 Computer/Control & Data Processing Systems and Equipment (P & F) .................................... 30 9.0 Color Conventions for Process Displays (P & F) ......................................................................... 34 10.0 Grounding Practices (P&F) .......................................................................................................... 36 11.0 Process Control and Automation .................................................................................................. 39 12.0 Additional Requirements for Nuclear-Safety-Related Systems (P & F) ...................................... 39 Attachments:............................................................................................................................................. 51 A. Instrumented Systems used in Safety Significant and Hazardous Processes Design Guidance ...... 51 B. Fail-Safe Design of Process Control Loops Guidance ..................................................................... 51 C. Instrumentation and Controls Design Review Guidance ................................................................. 51 D. Installation and Calibration of Instruments Guidance...................................................................... 51 E. Alarm Management Guidance ......................................................................................................... 51 F. Instrument Loop Diagrams Guidance .............................................................................................. 51 G. Control Logic Diagrams Guidance .................................................................................................. 51 H. Panel and Wiring Diagram Guidance .............................................................................................. 51 I. Process Flow and Process & Instrumentation Diagram Requirements ............................................ 51
0 5/22/02 Initial issue as D3060/F1050. Mel Burnett, FWO-SEM
Kurt Beckman, FWO-SEM
1 11/17/03 Expanded “Additional Requirements for Safety-Related Systems” to include installation requirements and guidance and the application of IEEE 384 and ISA 84.01-1996. Added Environmental Considerations, Computer/Control & Data Processing Systems and Equipment, Color Conventions for Process Displays, and Grounding Practices. Added first seven appendices (A-G).
Mel Burnett, FWO-DECS
Gurinder Grewal, FWO-DO
2 5/18/05 Emphasized requirement for application of IEEE 384; added App. H.
Mel Burnett, ENG-DECS
Gurinder Grewal, ENG-CE
3 10/27/06 DOE O 420.1A became 420.1B. Added App I on PFD/PID (formerly in Ch 6). Admin changes.
Mike Clemmons, FM&E-PSE
Kirk Christensen, CENG
4 9/29/14 Section became D3060.90. Updates for DOE 420.1C; Section 5.0 became BAS, other updates. All appendices changed to attachments.
Allen Hayward, ES-EPD
Lawrence Goen, ES-DO
PLEASE CONTACT THE I&C STANDARDS POC for upkeep, interpretation, and variance issues
A. The purpose of this chapter of the LANL Engineering Standards Manual (ESM) is to ensure I&C systems are designed to prevent accidents and mitigate consequences; are efficient, convenient, and adequate for good service; and are maintainable, standardized, and adequate for future expansion.
B. This chapter, along with other chapters of the Engineering Standards Manual, comprehensively implements requirements and guidance in DOE O 420.1C, Facility Safety, and its guide, (1) DOE G 420.1-1A, Nonreactor Nuclear Safety Design Criteria and Explosive Safety Criteria Guide for use with DOE O 420.1C Facility Safety, along with providing additional requirements.
C. Use this chapter along with Chapter 1-General, Chapter 7-Electrical, Chapter 10-Hazardous Process, Chapter 12-Nuclear and other ESM chapters as applicable. See Table 8-1 below.
Note: Guidance statements are in italics or are otherwise clearly indicated.
D. All facility-related I&C design, material, equipment, and installations shall comply with site-specific requirements in this Chapter and Chapter 1 of the ESM. Requirements in this Chapter that also apply to programmatic and R&D work are addressed in Para 1.3.
E. When new LANL Standards requirements are issued, refer to ESM Chapter 1 Section Z10, Code of Record subsection, for application considerations.
F. Where appropriate, guidance is provided to aid the cost-effective implementation of site-specific requirements and the requirements in the applicable codes. Italicized text identifies recommended guidance (not mandatory), based on good business practice and through lessons-learned at LANL. All other text in regular type indicates mandatory requirements unless prefaced with wording identifying it as guidance or a recommendation.
G. In addition to new I&C installations, this chapter applies to some renovation, replacement, modification, maintenance, or rehabilitation projects. Refer to ESM Chapter 16-IBC Building Safety Program, for requirements.
H. The adequacy of all design inputs is the responsibility of the designer/design agency. If the designer believes the ESM to be incorrect (e.g., compliance will cause a problem), it is their responsibility to bring the issue to the attention of the ESM Discipline POC (via the Project Manager if appropriate) for resolution. All Variances, Clarifications, Interpretations, and Exceptions should be documented per ESM Chapter 1, Section Z10.
I. Responsibility for the design of I&C, mechanical, and electrical systems can vary across organizations. NOTE: Coordination between the discipline designers is essential to achieve the best systems.
Controllers and processors for real-time control of mechanical, lighting, or building energy system monitoring
Fluid-controlling devices such as valves and dampers with the associated actuators
Identification of fire protection related safety control functions required above and beyond those required in Chapter 2 and related Master specifications
Power supplies and UPS systems
Sensors and transmitters (temperature, humidity, flow, pressure, orifice plates, thermowells, flow measuring arrays and stations, etc.)
Local mechanical (non-loop) indicators such as gauges and thermometers
Building construction features such as materials of construction, fire resistance ratings, fire doors, fire dampers, fireproofing and fire-stopping materials
Power switches, breakers, and relays
Self-contained controllers such as thermostats and humidistats
Instrumentation tubing and isolation valves
Features of fire suppression systems in Chapter and related Master specifications
Electrical protective relays and devices
Reference pressure devices
Instrument air delivery systems
Fire alarm systems in Chapter and Master Specifications Sections 28 3100 and 28 3110
Motors, motor starters, and variable frequency drives (VFDs)
Low voltage switches and relays used as output devices to control mechanical systems
Current and potential transformers used for electric metering and protection functions
Current transformers and relays used for status monitoring
Electrical distribution monitoring and control
Fire Protection related process safety interlocks that are in addition to the requirements in ESM Chapters 2 and 7
A. The following are excluded from the requirements of this chapter.
1. Fire alarm systems and fire sprinkler systems that do not have safety related interlocks and that are designed and installed in compliance with Chapters 2 and 7 of the ESM including the associated specifications.
2. Systems and devices providing security functions and controlled by PS Division.
3. Systems and devices that have the primary purpose of controlling vehicular and/or pedestrian traffic.
1.3 Programmatic
A. The I&C chapter shall be applied to programmatic systems and components as follows:
1. Headings in this Chapter followed by “P&F” indicate that subsection shall be complied with by all of LANL, including programs.
2. Guidance: Programmatic personnel should review all topics in the chapter for relevant material when initiating any design task.
2.0 ACRONYMS AND DEFINITIONS For other definitions, refer to ESM Chapter 1, Section Z10.
Acronym Definition
ASHRAE American Society of Heating, Refrigeration & AC Engineers
BAS Building Automation System - A control system that provides temperature control to normally occupied portions of a facility. This may include, but is not limited to: HVAC equipment, power metering equipment, lighting controls, etc. It does not include Safety Significant (ML-2) or Safety Class (ML-1) control systems.1
CFR Code of Federal Regulation
Design Agency The organization performing the detailed design and analysis of a project or modification.
Design Documents
Design Documents are those design-related documents that define or otherwise control the final design, operation, or maintenance of a facility or program. Examples of design documents include drawings, as-builts, calculations, vendor manuals, equipment and document lists, studies, reports, and design specifications.
Design Input Specification
A Design Document prepared for Safety Related systems, with emphasis on conditions unique to the facility and subject process.
Facility A synonym for Real Property and Installed Equipment. RP&IE is the land, improvements on the land such as buildings, roads, fences, bridges, and utility systems and the equipment installed as part of the basic building construction that is essential to normal functioning of a building space, such as plumbing, electrical and mechanical systems. This property/equipment is also referred to as institutional or plant and was formerly known as Class A. [ref DOE Order 433.1].
ES
EPD
Engineering Services Division
ES Division’s Engineering Project Delivery Group
IEEE Institute of Electrical and Electronics Engineers
ISA International Society of Automation previously known as The Instrumentation, Systems, and Automation Society
Master Equipment List (MEL)
The MEL is a controlled hardcopy or electronic database of facility, and applicable programmatic SSCs. The MEL captures and controls equipment information such as identification number, name, function, location, vendor data, design information, management level, and reference documentation.
ML-1 to 4 Management Level – See AP-341-502 or Section Z10 for definitions of ML levels.
NFPA National Fire Protection Association
OSHA
P&A
Occupational Safety and Health Administration
Process and Automation (SMEs within ES-EPD Electrical Team)
POC Point of contact. For ESM chapter/discipline Technical Committee POCs
Programmatic A synonym for Personal Property and Programmatic Equipment. PP&PE is equipment used purely for programmatic purposes, such as reactors, accelerator machinery, chemical processing lines, lasers, computers, machine tools, etc., and the support equipment dedicated to the programmatic purpose. This property/equipment is also referred to as organizational, research, production, operating or process and was formerly known as Class B. [archived DOE Order 4330.4B].
Safety Class (SC)
Systems, structures, or components including primary environmental monitors and portions of process systems, whose failure could adversely affect the environment, or safety and health of the public as identified by safety analyses. [10 CFR 830.3].
Safety-Related A term meaning safety class, safety significant, and those ML-1 and ML-2 SSCs that could potentially impact public or worker safety or the environment in the same way as safety class or safety significant systems respectively.
Structures, Systems, and Components that are not designated as Safety-Class SSCs but whose preventive or mitigative function is a major contributor to defense in depth and/or worker safety as determined from safety analyses. [10 CFR 830.37]
As a general rule of thumb, Safety-Significant SSC designations based on worker safety are limited to those Systems, Structures, or Components whose failure is estimated to result in a prompt worker fatality or serious injuries or significant radiological or chemical exposures to workers. The term, serious injuries, as used in this definition, refers to medical treatment for immediately life-threatening or permanently disabling injuries. (e.g., loss of eye, loss of limb).
Safety Significant Instrumented System (SIS)
An SS system or 29 CFR 1910.119 hazardous process independent protection layer that requires instrumentation, logic devices and final control elements to monitor and detect a ML-2/SS event, and which will result in automatic or operator action that will bring the facility or process system to a safe state.
SRS Savannah River Site
Structure, System, and Component (SSC)
Structure, System, and Component are defined as “Structure is an element, or a collection of elements to provide support or enclosure such as a building, free standing tank, basins, dikes, or stacks; System is a collection of components assembled to perform a function such as piping, cable trays, conduits, or heating, ventilation, and air conditioning; and Component is an item of equipment such as a pump, valve, or relay, or an element of a larger array such as a length of pipe, elbow, or reducer.
System Design Description (SDD)
A document defining a facility safety or mission-important system. The system design description consolidates existing system designs and presents design basis requirements imposed on the system by governing criteria and analyses that dictate system design features and configurations.
3.0 CODES AND STANDARDS (P&F) 3.1 General
A. Listed Equipment: All I&C electrical equipment shall be procured, installed and operated in compliance with ESM Chapter 7 Electrical and LANL P101-13.
3.2 National Codes and Standards – Task Matrix
A. Table 8-2 that follows identifies the minimum set of codes and standards that shall be applied to nuclear-safety-related I&C systems and the recommended set for non-nuclear-safety service systems -- consistent with their applicability for the specific technical or performance function.
B. Nuclear-safety-related systems: Many codes and standards listed in Table 8-2 were written for slightly different applications than those found at LANL. When these situations are encountered it is the Design Agency’s responsibility to provide a documented graded approach on how the required codes and standards will be applied at the time of the first design review. Concurrence of the Chapter 8 POC and FDAR is required for all graded approaches to application of codes and standards to ML-1 and 2 systems. DOE approval may be required in certain situations per ESM Chapter 1 Section Z10. Guidance: It has been understood that many codes referenced in Table 8-2 were written for the nuclear power industry. With that being understood, some codes may not be directly applied to LANL installations. This does not negate the requirements of DOE O 420.1C2. Applicable principles of required codes and standards must be applied and documented. A matrix of codes and standards documenting a basis for non-applicability or applicability is a good way to document this requirement. It may be necessary to provide additional detail when only parts of a given code or standard is applicable by breaking the basis down to chapter, section, or specific requirement.
2 Implementation schedule for 420.1C-driven requirements per ESM Ch. 1 Z10
General ISA 5.1 and 5.3; IEEE N323; NFPA 70; others as applicable
ANSI/ISA series especially 5.1, 5.2, 5.3, 5.4, and TR84.00.063; NFPA Applicable Codes and Standards; ANSI C2, N323D; IEEE, 141, 142, 242, 493, 1050, and 7-4.3.2; DOE G 420.1-1A; DOE O 420.1C; ANSI/ANS 58.8, 59.34; DOE-STD-1195 (implements ISA 84.00.01)
ANSI/ISA series5 especially 5.1, 5.2, 5.3, 5.4 and TR84.00.06; NFPA Applicable Codes and Standards; ANSI N320; ANSI C2, N323D; IEEE 141, 142, 242, 323, 336, 338, 344, 379, 384, 493, 1050 and 7.4.3.2; DOE G 420.1-1A; DOE O 420.1C; ANSI/ANS 58.8, 59.3
HPS ASC N13; IEEE N42.17B, N42.18; NFPA Applicable Codes and Standards ANSI/ANS N13 series ANSI/ANS 8.3 (criticality only)
Programmable Digital Equipment
IEEE 1046 and 1289; ANS 10.5; NUREG 0700
IEEE 1046 and 1289; ANS 10.5; NUREG 0700
IEEE 1046 and 1289; ANS 10.5; NUREG 0700
User Interface IEEE 1023 IEEE 1023
Ventilation ASME AG-1, N509 and N510 ASME AG-1, N509 and N510
Building Automation Systems6
ASHRAE 90.17, 62.1 and 15
ASHRAE 90.18 and 15 ASHRAE 90.19 and 15
3 TR84.00.01 is a report required by DOE O 420.1C. Apply it as applicable so long as it is listed in 420.1C, but not if deleted in Chg. 1 or later mandate. After any such deletion, treat as guidance. 4 ANSI/ANS 59.3-2002 was withdrawn by ANS but is still required by DOE O 420.1C. Apply 59.3 as applicable so long as it is listed in 420.1C, but not if deleted in Chg. 1 or later. After any such deletion, treat as guidance. 5 ISA 84.00.01 is not applicable to SC systems per DOE-STD-1195. 6 BAS code requirements added here to support implementation of Variance 2013-111 7 The requirement to follow ASHRAE 90.1 flows out of Chapter 14 of the ESM, but is repeated here to make it clear that this is a required document for BAS systems. See ESM Chapter 14 for additional requirements including applicable year of standard. 8 Specific safety requirements may override ASHRAE 90.1 energy conservation measures but must be documented and accepted by LANL 9 Ibid
Titles for Table 8-2ANSI/ANS 8.3, Criticality Accident Alarm System ANS 10.5, Accommodating User Needs in Computer Program Development ANSI/ANS 58.8, Time Response Design Criteria for Safety-Related Operator Actions ANSI/ANS 59.3, Nuclear Safety Criteria for Control Air Systems ANSI C2, National Electrical Safety Code [NESC] ANSI/IEEE N320, Performance Specifications for Reactor Emergency Radiological Monitoring Instrumentation ANSI N13 series addresses radiation monitoring equipment ASHRAE 15, Safety Standard for Refrigeration Systems ASHRAE 62.1, Ventilation for Acceptable Indoor Air Quality ASHRAE 90.1, Energy Standards for Buildings except for Low Rise Residential Buildings (see ESM Chapter 14 for current applicable version) ASME AG-1, Code on Nuclear Air and Gas Treatment ASME N509, Nuclear Power Plant Air-Cleaning Units and Components ASME N510, Testing of Nuclear Air-Cleaning Units and Components ANSI N323D, Radiation Protection Instrumentation Test and Calibration DOE G 420.1-1A, Nonreactor Nuclear Safety Design Criteria and Explosive Safety Criteria Guide for use with DOE O 420.1C Facility Safety DOE O 420.1C, Facility Safety DOE-STD-1195, Design Of Safety Significant Instrumented Systems Used At DOE Nonreactor Nuclear Facilities. ANSI/ASC N13.1, Guide to Sampling Airborne Radioactive Materials in Nuclear Facilities [Health Physics Society Accredited Standards Committee] IEEE 7.4.3.2, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations. N42.17B, Radiation Instrumentation Performance Specifications for Health Physics Instrumentation – Occupational Airborne Radioactivity Monitoring Instrumentation N42.18, Specification and Performance of On-Site Instrumentation for Continuously Monitoring Radioactivity in Effluents (ANSI/IEEE) 141, Recommended Practice for Electrical Power Distribution in Industrial Plants (IEEE Red Book) 142, Recommended Practice for Grounding of Industrial and Commercial Power Systems (IEEE Green Book)
242, Recommended Practice for Protection and Coordination of Industrial and Commercial Power Systems (IEEE Buff Book) 323, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations 336, IEEE Standard Installation, Inspection, and Testing Requirements for Power, Instrumentation, and Control Equipment at Nuclear Facilities 338, IEEE Standard Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems 344, IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations 379, IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems 384, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits 493, Recommended Practice for the Design of Reliable Industrial and Commercial Power Systems (Gold Book) 1023, IEEE Guide for the Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations 1046, Application Guide for Distributed Digital Control and Monitoring for Power Plants 1050, IEEE Guide for Instrumentation Control Equipment Grounding in Generating Stations 1289, Guide for the Application of Human Factors Engineering in the Design of Computer-Based Monitoring and Control Displays for Nuclear Power Generating Stations ISA [all formerly ANSI/ISA “S” series] 5.1, Instrumentation Symbols and Identification 5.2, Binary Logic Diagrams for Process Operations 5.3, Graphic Symbols for Distributed Control/Shared Display Instrumentation, Logic and Computer Systems 5.4, Instrument Loop Diagrams 67.04.01, Setpoints for Nuclear Safety-Related Instrumentation TR84.00.01, Application of Safety Instrumented Systems for the Process Industries Not all required ANSI/ISA standards are listed here; apply all applicable as required under DOE O 420.1C. NFPA 70, National Electrical Code [NEC] NFPA 110, Standard for Emergency and Standby Power Systems; also NFPA 110A Not all required NFPA code and standards are listed here; apply all applicable as required under DOE O 420.1C. NRC NUREG-0700, Guidelines for Control Room Design Reviews
A. The baseline Design Documentation (Design Input Specifications and Design Drawings) is to be established at a level commensurate with the management level/safety classification of I&C systems and/or devices in accordance with DOE-STD-1073, “Configuration Management Program.” At a minimum, P&ID Drawings, Instrument Loop Drawings, Control Logic Drawings, and Schematic Drawings shall be considered priority drawings for all safety-related systems. The drawing guidance shall be considered requirements for safety related SSCs.
B. The following provides a graded approach for determining when priority drawings are required.
1. For all ML-1 SSCs
2. For all ML-2 SSCs, and
3. For ML-3 SSCs that provide a mission critical, defense in depth, or worker safety function or whose failure may impact operation of ML-1 or ML-2 SSCs.
C. Priority Drawings shall be part of the Project Record Documents provided to LANL prior to formal Construction Project Acceptance. Refer to required Attachment I on PFD and P&ID Diagram requirements and this chapter’s Attachments F through H for guidance on the other drawing types.
D. Drawing content and format shall comply with the LANL Drafting Manual including its Mechanical section (Section 305) and Electrical section (Section 306).
E. A performance (design input) specification shall be developed for safety-related systems to include, as applicable, the following items: 10
1. Performance requirements for all plant operating conditions (accident and normal) wherein the equipment is expected to perform an intended function.
2. Ambient and process operating conditions including the measured variable for each of the applicable operating modes and conditions.
3. The minimum and maximum ambient temperatures, pressures, and relative humidity to which the I&C system devices will be subjected.
4. The cumulative dosage levels (alpha, beta, and gamma) and maximum dose rates to which the equipment will be subjected under the operating conditions.
5. Concentration and duration of chemical exposure to which the equipment will be subjected.
10 Taken from ASME AG-1-1997, “Code on Nuclear Air and Gas Treatment” Article IA-4120, and supplemented by SRS Standards, Guides, and Engineering Manual E7. The listing identifies the necessary input that is required for the selection of appropriate I&C devices.
6. All electrical power transients and normal power fluctuations to which the I&C system devices may be subjected.
7. Structural/vibratory loads to which the instrumentation and control system components, enclosures, or supports will be subjected.
8. Any other environmental qualification considerations (see that heading below).
Guidance: The above items that constitute a design input specification should be addressed for any I&C system, as applicable or practical.
F. SDD: A system design description shall be developed for Safety-Related I&C systems, or those I&C systems that provide a mission critical, defense in depth, or worker safety function, whose failure may impact the operation of safety-related SSCs, and when required by other ESM Chapters including Ch 1 Section Z10. 11 Note: The SDD shall be submitted as part of the project record documents prior to project acceptance. The content of the system design description shall be based on DOE-STD-3024 and shall document the purpose (design function) and safety classifications for the I&C components, and sections or subsections shall be added to ensure the following content is adequately addressed:12
1. System and Component Functions
2. System and Component Design Requirements or Constraints
3. Operation Description
4. Set Points and System Limitations (Expected Values or Ranges)
5. Expected System Upsets and Methods/Procedures for Recovery
6. Maintenance Requirements and Recommendations
7. Bases for Design Requirements
8. Interface Requirements
9. References
G. Any necessary calculations shall be performed and documented according to AP-341-605, Calculations, or an equivalent LANL-approved procedure.
H. Guidance: As part of the Project Record File, when required, the following documentation should be obtained from the Manufacturer of I&C system devices, as applicable:13
1. Mounting connection details
2. Weight and center of gravity
3. Service connections, size, type, and locations
11 ESM Ch 1 Section Z10 also includes requirements on SDD need and content. 12 The list establishes the essential content for a System Design Description and was developed by SRS in accordance with DOE-STD-3024, “Content of System Design Descriptions.” 13 The document listing is taken from ASME AG-1-1997, “Code of Nuclear Air and Gas Treatment,” and identifies the types of I&C documentation that should be requested from the manufacturer.
10. Panel general arrangement and construction drawings
11. Instrument piping and tubing drawings
12. Certificate of conformance
13. Calibration procedures and data
14. Panel mounted instrument list including nameplate engraving
15. Maintenance and surveillance requirements
16. Recommended spare parts listing
17. Specification data sheets for components, parts, or system
18. Instrument index
I. Guidance: ISA-20, “Specification Forms for Process Measurement and Control Instruments, Elements, and Control Valves” should be used to assist in procurement of instrumentation equipment. These data sheets are available from the Chapter POC for LANL use.
5.0 BUILDING AUTOMATION SYSTEMS
5.1 General
A. This section of the standards applies to systems commonly referred to as Building Automation Systems (BAS), Facility Management Systems (FMS), Energy Management Systems (EMS), and similar. These types of systems are referred to as BAS for the remainder of this section. The primary function of these systems it to monitor and control facility based systems to provide comfort for personnel, to maintain indoor space temperatures for the operation and protection of equipment and to maximize the energy efficiency of the facility.
B. Comply with LANL Master Specification 25 5000, Integrated Automated Facility Controls. Guidance: A newer draft may be available from the Chapter 8 POC.
C. ML-1 and ML-2: Systems involving ML-1 and ML-2 safety functions may have more stringent or conflicting requirements that this subsection (5.0), and those take precedence; however, meet the intent of this section when possible. Guidance: For example, a critical fan may need to operate for a safety function independent of the status of an associated freeze protection device.
D. See ESM Chapter 14 for additional sustainable design requirements.
1. In all new, air-conditioned buildings larger than 10,000 gross sq. ft.
2. In remodeled buildings where the remodeled space is larger than 10,000 gross sq. ft.
3. In remodeled buildings where an existing BAS is present, extend the BAS into the remodeled space. Guidance: See section 5.4 of this chapter of additional requirements regarding existing BAS systems. In some cases, non-standard or outdated BAS systems must be replaced in totality when remodeling buildings.
4. In buildings less than 10,000 gross sq. ft. when the complexity of the control system or the energy payback justifies the additional expense of a BAS system. Guidance: HVAC systems involving Variable Volume-Variable Temperature (VVT), Variable Air Volume (VAV), the need for precision air temperature control (Typically < +/-1°F control), or the need for remote monitoring or alarming are systems that may require BAS systems.
F. Deferred and Delegated Design: In many cases the detailed BAS design is completed at a later date by the control contractor based on guidance provided in the initial design documents. When a detailed control design that indicates exact components and wiring connections is not provided in the main project engineering design package, it is the design engineer’s responsibility to communicate applicable requirements of this and other sections of the ESM to the control contractor though drawing notes, the sequence of operation, and/or specifications to assure that the requirements are implemented in the control contractor’s design submittal. Guidance: Many times exact details of how the control system is implemented are based on the brand of control system selected by the control contractor. The control contractor is typically guided by the specification and drawings for the project, not the entire ESM.
5.2 Equipment Protection Safeties
A. BAS systems shall be designed to protect the equipment from damage due to failures in the system to the extent possible. The following are minimum protection requirements; others may be needed based on system requirements.14
B. Freeze Protection Thermostats (Freeze-Stats)
1. Freeze-Stats must be provided on any air-side HVAC system that:
a. Has a water coil within the main HVAC unit or in the downstream ductwork that can be subject to entering air temperatures below 40°F. Guidance: Consider the worst-case scenario for determining coil entering air temperatures. For example, a VAV system with a fixed minimum outside air flow will have a much lower mixed air temperature when the VAV boxes are at minimum flow.
b. Has a water coil within the main HVAC unit or in the downstream ductwork that has an air side economizer cycle. Guidance: Although air side economizers are designed to prevent mix air temperatures below freezing, the failure of an economizer damper or actuator can result in temperatures well below freezing. A freeze –stat provides an addition layer of protection for water coils.
c. Serves an area with temperature sensitive equipment or materials that could be damaged by freezing should the HVAC system fail and introduce excessively low supply air temperatures.
d. For systems that have a low mixed air temperature due to large quantities of outside air, with zone temperature controlled heating, it may be necessary to provide a more complex freeze protection control system than the standard freeze-stat to prevent nuisance tripping of the freeze-stat. Such alternate systems shall be approved in writing by LANL controls SME.
2. Freeze-stats shall be located in such a way as to minimize nuisance tripping while maximizing protection of coils. Guidance: In general heating coils should be place first in the air stream with the freeze-stat located downstream of the coil. This allows the hot water coil to temper the air and to protect a downstream cooling coil. Water heating coils subject to entering air temperatures below 40°F shall be equipped with a local recirculation pump (see other requirements in this chapter and ESM Mechanical Chapter 6 for water coil protection). The correct location should always be shown on design documents and not left to the choice of the contractor.
3. Freeze-stats shall be hardwired to perform the following functions automatically upon tripping. All functions shall not require any control signal or power from the BAS system to perform the required action. Valves and damper actuators, upon loss of power from the freeze-stat hardwired connection shall spring return15 to the required position:
a. Hot water valves shall move to provide a maximum heated flow the coil.
b. Chilled water valves shall move to provide the maximum flow to the coil. This shall occur independently of whether the chilled water pumps are operating.
c. Outside air and exhaust air dampers shall close and return air dampers shall open
d. Supply, return and exhaust fans in the HVAC unit shall stop. This shall occur, independent of the position of any local hand-off-auto switch16.
15 Alternate methods of moving valve and damper actuators to their required position, such as super caps, etc. are allowed. Spring return is preferred, but any approved method of fail-safing may be used. 16 In special cases, the hand operation of the fan may be allowed to override freeze-stat operation, but in no case shall override a fire alarm shutdown requirement.
4. The BAS control system shall have a dedicated freeze-stat input to detect the status of the freeze-stat. When the BAS system detects a freeze-stat trip alarms shall be generated and the BAS shall position valve, damper and fan signals to match the hardwired shutdown positions.
Guidance: The BAS is to position the valve, damper and fan signals to match the hardwired positions as a redundant backup to the required hardwired fail positions. This also makes the computer based user interface more closely display the actual status of the system. On systems that require multiple freeze-stats to cover a large coil area, the output of all commonly located freeze-stats may be combined into one single BAS input provided the individual freeze-stats have some sort of local indicator to identify which freeze-stat has tripped.
5. On makeup air systems using a heating source that requires air flow prior to actuation (gas, electric) or on units located outside where the freeze-stat might be subject to low temperatures when the fan is off, provide an auto-reset freeze stat with a timed bypass switch with a maximum bypass of 10 minutes. An operator accessible momentary bypass button shall be used to initiate the bypass timer and shall be clearly marked with its purpose.
Guidance: On units where the fan must start before the heat can be started, the unit cannot be restarted on a cold day. The freeze-stat will trip before the heating can be started (a gas unit may need to purge for upwards of a minutes before igniting and providing heat). A manually activated bypass timer allows an operator to restart the equipment, but assures the equipment will shut down should the heat fail to operate within the time delay. The manual actuation of the bypass timer at the HVAC unit assures the operator is present and can monitor the restart. This is an exception to the normal manual-reset Freeze-stat requirement.
C. High Duct Static Pressure Protection
1. High duct static pressure shutdown protections shall be provided on any variable air flow system or any system with automatic dampers where the following are true:
a. The fan maximum static pressure than can be developed at full speed exceeds the pressure rating of the ductwork, plenum or duct accessories. This consideration shall assume pressure control loops are inactive and the fan is at maximum speed and/or normally interlocked dampers have failed in a closed position.
b. The system is subject to surging
c. The system has other special pressure protection requirements
2. High pressure shutdown protections shall be hardwired to shutdown required fans as required to protect the system. Other devices, such as dampers, valves, speed control signals, may be positioned via the BAS system signals upon detection of this type of shutdown.
3. The BAS control system shall have a dedicated high pressure shutdown input to detect the status of the high pressure shutdown controls. When the BAS system detects a high pressure shutdown alarms shall be generated and the BAS shall position valve, damper and fan signals to match the hardwired shutdown positions.
4. The high pressure shutdown protection shall not override freeze protection controls
5. The high pressure shutdown shall require a manual reset by the operator.
6. On fans with isolating dampers in line, where the deadheaded pressure of the fan may exceed the isolation damper pressure rating, fans shall be interlocked with the position of the damper. The interlock shall prove the isolating dampers are open prior to allowing the fan to start. The use of a time delay to delay fan start up after the damper is commanded to open shall not be used. Guidance: In some cases it may be necessary to provide this type of interlock on larger fan systems, even though the dead head pressure does not exceed the isolation damper pressure rating.
D. Fire Alarm Shutdown
1. Where HVAC systems are required to be interlocked to the fire alarm system and/or duct smoke detectors, the shutdown of the HVAC system shall be hardwired to the HVAC equipment and not rely on the BAS system unless the BAS system is approved for such actions. Guidance: In general the BAS and fire protection interfaces shall be kept as simple as possible. Required NFPA functions shall only be performed by approved controls
2. The BAS control system shall have a dedicated fire alarm shutdown input to detect the status of the fire alarm shutdown controls. When the BAS system detects a fire alarm shutdown alarms shall be generated and the BAS shall position valve, damper and fan signals to match the hardwired shutdown positions.
3. The fire alarm shutdown protection shall not override freeze protection control. Guidance: During a fire alarm shutdown, the freeze protection control shall not be inhibited to provide such functions as closing the outside air damper or opening a heating control valve, etc.
4. Hand-off-auto switches shall never bypass fire alarm shutdown functions unless they are part of an approved smoke/fire control system.
1. When heating and cooling coils are subject to entering air temperatures below 40°F under normal operating conditions, a local recirculation pump is present.17 These recirculation pumps shall have the following BAS control system requirements:
a. The sequence of operations shall require the recirculation pump to operate anytime the outside air temperature is below 40°F (adj) and to not operate anytime the outside air temperature is above 45°F (adj). The main start/stop control of the pump shall be though a dedicated digital output on the BAS system.
b. A pump-running status point shall be provided for the recirculation pump in the form of a current sensor, flow switch, or differential pressure switch. Failure to detect pump operation when the pump is commanded on shall generate an alarm.
c. A water temperature sensor shall be provided on the leaving water side of the heating coil prior to the main building HW return pipe or the inlet of the recirculation pump. The sequence of operation shall require the HW valve to modulate open whenever the HW return temperature drops below 36°F (adj) to keep the recirculated water temperature above freezing. An alarm shall be generated if this water temperature drops below 34°F (adj) for longer than 10 minutes (adj).
d. Coils protected by glycol mixes are exempt from these requirements as long as the freezing point of the glycol mix is lower than the worst case entering air temperature.
B. 100% Outside Makeup Air Units
1. Units of this type shall require a supply air temperature control loop to be specified in the Sequence of Operations. When the air from the makeup air unit is supplied to occupied spaces the setpoint of the supply air temperature shall be reset by the space temperature (or zone demand) and be limited to control the supply air temperature to prevent drafts and stratification (typically between 50°F and 130°F). Guidance: Directly controlling heating and cooling stages in a makeup air unit from space temperature can result in extreme supply air temperature fluctuations. By using a cascaded control loop to directly control the supply air temperature based on space temperature the swings in supply air temperature can be minimized.
2. The heating and cooling in this type of unit must have adequate staging or modulating controls to prevent short cycling of stages and/or large temperature swings in the discharge air temperature. When staging is used to control discharge air temperature the maximum temperature rise per stage should be limited to no more than 10°F. When modulating controls are used the turn down ratio shall be large enough that cycling off and on at the minimum capacity is minimized. Guidance: Typically a modulating heater with a turn down of 10:1 is
17 ESM Chapter 6 Mechanical ESM Section D30 “Preheat Coils” article requires both a preheat coil and pump for same.
adequate for most makeup air applications at LANL. This results in an on/off cycle at minimum fire of about 8 to 10°F. If precision temperature control in the conditioned space is required, higher turndown ratios may be needed or other methods of controlling the temperature may be needed. When electric heat is used, consider the application of an SCR Vernier control to minimize cycling of electric heater contactors.
C. Control Panel Fabrication, Location, and Power
1. Control panels used for BAS controllers shall meet the following requirements:
a. Any control panel with a BAS controller in it shall not have line voltage (>50VAC/DC) located in the same enclosure. Place line voltage controls in a separate panel from the BAS controller enclosure. Line voltage may enter the control panel, but must be contained within conduit or other suitable enclosures when inside the control panel. (i.e. a fully enclosed control transformer may be mounted inside the control enclosure if all line voltage power wiring is in conduit)
b. Power for the BAS controller shall be provided by the HVAC unit it controls or from a dedicated power source specific to the BAS control system. When power is supplied by a source other than the controlled HVAC equipment a local disconnect switch shall be provided. This may be in the form of a lighting type toggle switch with a locking hasp or a transformer mounted rocker switch. Dedicated 120VAC power sources for BAS control systems shall not have any other foreign loads attached to the circuit and shall be clearly labeled “BAS Controls” at the breaker panel.
c. A single 120VAC outlet for connection to a laptop shall be provided at the main BAS control panel (typically the BACnet router control panel) and may be fed from the dedicated BAS control system power circuit. This outlet shall be labeled as a power-limited outlet specifying the available VA.
d. Low voltage power breakers (typically 24VAC) shall be resettable without exposing line voltage power sources.
e. Low voltage power sources for control panels shall be equipped with manually resettable breakers. Fuses and fusible winding transformers shall not be used.
i. Exception: Low voltage power sources for terminal units (VAV boxes, fan coils, unit heater) may be protected by fuses or fusible winding transformers.
f. Terminal blocks in BAS control cabinets for connection to field devices are recommended, but not required with the following exceptions:
i. Where a fire alarm shutdown input is connected to a BAS control panel a terminal block with red terminals shall be provided. These terminals shall be labeled “FA” or “FA-#” where # is a unique identification number.
ii. Where a freeze-stat input is connected to a BAS control panel a terminal block with blue terminals shall be provided. These terminals shall be labeled “FZ” or “FZ-#” where # is a unique identification number.
Guidance: The use of specific terminals for fire alarm connections provided a common demarcation point for connection the fire system that is typically done by an alternate contractor. These unique terminals also allow simplified troubleshooting for field technicians working on the system.
iii. Terminals, when used, for general input and output points shall be gray in color and uniquely identified.
iv. Terminals, when used, for low voltage power source main connections shall be orange or yellow in color and uniquely identified.
g. Hinged door cabinets shall be used for all low voltage BAS control cabinets. Cabinets with hinged doors used for BAS controls shall come equipped with a key locking device, a padlock hasp or be able to be field modified to accept a manufacture provided locking kit specific to the enclosure.
2. BAS control cabinets shall be located in mechanical spaces, mounted to the outside of rooftop units, or in ceiling spaces next to or on equipment served. Under no circumstance shall BAS controllers be mounted in line voltage compartments of HVAC equipment, locations near unprotected rotating equipment, locations near hot surfaces (like near steam lines), or locations that require special permits to access.
3. When HVAC equipment provides built-in control space specifically designed for low voltage controls and there is no line voltage hazard exposed when the compartment is opened, these areas may be used for BAS controllers. The compartment must clearly be labeled “24VAC BAS Controls” on the outside of the access door. Guidance: The general concept of this section is to assure BAS controls can be accessed easily and safely. The separation of line and low voltage is typically easy to achieve for these types of systems if proper design considerations are made.
4. BAS control cabinets larger than 12”x12” shall be equipped with removable back panels.
a. A scaled back panel drawing shall be provided showing all mounted components and wire management devices.
b. Back panels shall be laid out to provide manufacture required space around components or adequate space to connect and disconnect wires from devices without removing the device, whichever is greater.
c. Wire management devices, like wire duct, shall be used to route wires. These devices and sizes shall be shown on the back panel layout.
5. Main BAS control panel locations shall be shown on floor plans.
a. Power requirements shall be shown on design plans, including power distribution panel, breaker identification, and load information. This information must be mirrored in electrical panel and distribution design documents.
b. For control panels requiring network connections, the requirements shall be shown on design plans.
D. Interfacing to Packaged HVAC Equipment
Guidance: This section specifies requirements for the use of packaged HVAC equipment with internal controls. Lessons learned at LANL have shown this is a critical design interface that cannot be left until submittal phase of a project. The design engineer can select how the integration will happen, but must prove to the LANL Process & Automation reviewer, at design phase, that the HVAC equipment and built in controls will be adequate to perform the required functions to LANL.
1. Many types of HVAC packaged equipment come from the factory with integral digital controls. When the design engineer choses to use this type of equipment the following minimum requirements must be met:
a. Mechanical specifications for HVAC equipment must be modified to specify this type of integration.
b. The Internal Digital Controls (IDC) of the unit must use BACNet MS/TP as its interface. No bridges built into the unit or otherwise, may be used to convert the protocol used.
Exception 1: Equipment that uses Modbus for communication may be used, but is not the preferred protocol.
Exception 2: Equipment that uses BACnet TC/IP may be used if a dedicated Ethernet connection to the BAS is used. The BACnet TC/IP connection may not operate over a LANL network (Yellow or otherwise). This may be problematic for some control vendors’ products, so consult with the control system supplier before designing this type of interface into the system.
c. The list of integration points for the HVAC equipment must be provided at the design review phase of the project. The points list must be specific
for the piece of equipment used and the application of the equipment. Points in the list must CLEARLY define the following:
i. The direction of data flow for the point. Is it a read only or a read/write?
ii. The data format for the point. Are offsets or decoding required to get the correct data from the raw point data?
iii. Specifics about how the point affects the system or what data the point is providing about the system.
iv. When control points are of the MSV type (MSI or MSO) the meaning of the indexes must be stated.
v. If special points are to be provided by the vendor to meet the required sequence of operation, these points shall be clearly identified as non-standard points.
d. A detailed wiring diagram of the equipment must be provided at the design review phase of the project. The wiring diagram shall show external control wiring connections as well as internal wiring of the unit so that adequacy of the controls can be evaluated.
e. A sequence of operations for the IDC must be provided at the design review phase of the project. This must be project specific. A generic sequence of operations for the equipment is unacceptable.
2. Many manufacturers of package HVAC equipment allow factory integration of BAS controllers directly into the equipment. When this is possible, it is the preferred method for integrating equipment and the BAS. When the design engineer choses to use this type of integration the following minimum requirements must be met:
a. Mechanical specifications for HVAC equipment must be modified to specify this type of integration.
b. Specification for the control system must be modified to make it clear to the control contractor that they must work with the HVAC equipment manufacture/supplier to accomplish the integration. Specifications for the mechanical HVAC equipment must also be modified to make it clear to the mechanical contractor/supplier that they must work with the control system integrator to accomplish the integration.
c. A factory acceptance test of the integrated system must be performed prior to delivery of the HVAC equipment to LANL. A LANL P&A design engineer must approve the test plan, witness the test performance, and approve the test results of this test.
3. Many manufacturers of package HVAC equipment provide stripped down version of their package equipment where all control sensors and devices are simply wired to a common terminal strip and no controller is provided. This allows the control contractor to mount their controls in the field at the time of construction. When the design engineer choses to use this type of integration the following minimum requirements must be met:
a. A list of sensors and devices must be specified that will be provided with the unit. Sensors specified must be compatible with the BAS system.
E. Heat Trace Systems18
1. When heat trace systems are installed to protect pipes from freezing the following minimum BAS interfaces are required:
a. A current sensor must be used to monitor each individual branch of the heat trace. Guidance: Multiple sensors are required to be able to identify a single trace circuit failure. In most modern heat trace systems the current draw of the heat trace is proportional to the load on the section of heat trace. A single current sensor used for several branch lines cannot detect the difference between a load variance due to temperature fluctuations verses a circuit break in a single branch line.
b. If the heat trace is enabled by a thermostat, then the BAS system must have a dedicated input to detect when the thermostat has activated or deactivated the heat trace. As an alternate the BAS system may provide this thermostatic function as an internal function of the BAS controls. When the BAS system is used for this purpose the heat trace shall failsafe on upon loss of the BAS system controls.
c. A dedicated commercially manufactured heat trace monitor system can be used to control a heat trace system. When this option is used, at a minimum the system shall provide an alarm contact that shall be connected to a dedicated input on the BAS system.
d. Failures of the heat trace system shall generate an alarm within the BAS.
e. Exception: Heat trace systems supervised by the building fire alarm system need not be monitored by the BAS.19
F. Server Rooms 1. Rooms used for the specific purpose of housing computer servers, telecom
equipment, or similar temperature sensitive equipment shall have the following BAS requirements.
18 Requirements for these systems are in ESM Ch 6 (D20 para “Freeze Protection”) 19 NFPA 13 requires that when heat trace systems are used for freeze protection of sprinkler system piping, such a system be supervised by the building fire alarm system (iaw NFPA 72). These heat trace systems are expected to be listed/approved for their intended use, which implies that their controllers come with the capability to be supervised. In the case of the RLUOB system being installed circa 2014, the controller provides an output for trouble conditions including loss of power and system problems (shorts, insufficient current, etc.
a. A temperature sensor must be installed and connected to the BAS system to monitor the room temperature. A high room temperature shall generate an alarm within the BAS.
b. If the HVAC equipment serving the server room is controlled by the BAS system, a secondary, high limit control shall be provided to activate cooling in the event of a BAS failure. Guidance: A high limit protection system that disconnects electrical power from the server equipment is an acceptable alternate (or addition) to a secondary BAS high limit control. This type of system may possibly damage server databases, but prevents significant damage to hardware due to overheating.
c. New server room HVAC systems shall be equipped with BACnet MS/TP interfaces and connected to the BAS to allow remote monitoring of the equipment.
G. Night Setback in all BAS Systems20 2. Provide setback control of zone temperatures per ASHRAE 90.1 (Section
6.4.3.2.2). When programmatic needs require a constant, unchanging temperature, a variance to the requirement for setback control may be granted, as approved in writing by the ESM, Chapter 6, 8 or 14 POC. This type of variance allows the controls to be set to run at a constant temperature at all times, but does not negate the need for the BAS and associated HVAC system requirement to be able to provide setback control.
Guidance: Due to the ever changing nature of work at LANL, many areas requiring constant temperature control at the time of construction may change their function and not require constant temperature control in the future. The up-front cost of implementing setback control at construction is far less expensive than implementing it in a completed building. By implementing setback control in all areas, this energy savings feature can be turned off or on as future needs require at a minimum cost. Exception: Dedicated server rooms, designed specifically for computer equipment only, are exempted from this requirement.
5.2 Limitation of BAS Control Vendors21
A. Control systems shall be one of the following:
1. Automated Logic Controls, Atlanta , GA
2. Alerton Controls, Redmond, WA
With specific critical operational needs, as approved in writing by the ESM Chapter 8 POC, the following control system may also be used:
20 This requirement has been an ESM requirement since 9-12-2013 under Variance 2013-111. 21 This requirement has been an ESM requirement since 7-6-2011 under Variance 2011-081
3. Allen Bradley Controls by Rockwell Automation, Milwaukee, WI
B. Exceptions:
1. Facilities with significant BAS systems not conforming to the above standard control system selection may repair, upgrade or expand the existing control system if the following are met:
a. The existing control system currently controls at least 50% of the facility floor space.
b. The existing control system is not at its end of life expectancy (it must be currently supported by the vendor).
c. Support for servicing of the control system is provided by the facility owner separate from institutional BAS support. An active service contract with the supplier of the non-conforming control system must be provided as proof such support exists.
d. The expansion of the existing control system is limited to the facility in which it is currently installed.
e. Upgrades are limited to no more than 20% of the existing system hardware point count.
f. Expansions can incorporate any number of points, but are limited to the facility the non-conforming control system is installed in.
g. Written prior approval in the form of a variance is approved by the ESM, Chapter 8 POC.
2. Specific justification provided in the form of a variance request, is submitted and approved by the LANL Chief Engineer and the ESM, Chapter 8 POC. This is considered a variance to the ESM.
3. Definitions (for purposes of this subsection only):
a. Hardware Point Count: The total number of physical points connected to the system by hardwired methods. These points are of the analog in, analog out, digital in and a digital out type.
b. Facility: A single building or structure typically assigned a building number (e.g., TA-3-1400).
c. Upgrades: Replacing existing, functional, equipment with newer equipment performing the same function.
d. Repairs: Replacing non-functional equipment with exact replacement parts from the same manufacturer.
B. Label I&C equipment in accordance with LANL Master Specification 22 0554, Identification for Plumbing, HVAC, and Fire Piping and Equipment, and LANL Master Specification 26 0553, Identification for Electrical Systems, as applicable.
C. ML-3 and 4 control systems may22 use simplified conductor identification when multi-conductor cables are used. This method allows the cable to be identified as specified above, but individual conductors may be identified by color coding. When this method is used the specific conductor colors must be identified on the as-built engineering documents. 23
D. Factory prefabricated cable assemblies do not require internal wires to be identified.
7.0 ENVIRONMENTAL QUALIFICATION24 (P & F) The requirements identified within this subsection are for nuclear-safety-related I&C systems or those I&C systems that provide a mission critical, defense in depth, or worker safety function or whose failure may impact the operation of safety-related SSCs. Evaluation of environmental considerations shall be documented in the design documents for ML-1 and ML-2 systems. For other non-safety I&C systems, all items in this section shall be interpreted as guidance that establishes sound engineering practice for the proper and reliable performance of I&C systems.
22 Local DAR requirements may eliminate this alternate identification method 23 The use of colors in multi conductor cables to identify individual conductors is an industry standard and simplifies
installation reducing cost while still maintaining traceability. 24 The requirements identified within the Environmental Qualification subsection must be established for safety-related
systems to ensure that the environment in which the systems will be placed is conducive to the performance attributes of the selected I&C components. DOE G 420.1-1A, Section 5.1.1.3 and DOE O 420.1C, Section DESIGN CRITERIA FOR SAFETY STRUCTURES, SYSTEMS, AND COMPONENTS, 3.a.(3) , establishes the requirement for Environmental Qualification as deemed necessary to ensure reliable performance of a safety system under those conditions and events for which it is intended. The requirements and guidance within the section are developed through several standards. ASME AG-1, “Code on Nuclear Air and Gas Treatment,” Article IA-4000 – Design Considerations, requires the identification of environmental conditions for safety-related systems. These standards establish methods to recognize and classify such environmental conditions. The standards are provided as follows: - ISA-71.01, “Environmental Conditions for Process Measurement and Control Systems: Temperature and Humidity” - ISA-71.02, “Environmental Conditions for Process Measurement and Control Systems: Power” - ISA-71.03, “Environmental Conditions for Process Measurement and Control Systems: Mechanical Influences” - ISA-71.04, “Environmental Conditions for Process Measurement and Control Systems: Airborne Contaminants” - IEEE 1-2000, “Recommended Practice – General Principles for Temperature Limits in the Rating of Electrical
Equipment and for the Evaluation of Electrical Insulation” - IEEE-1159, “Recommended practice for Monitoring Electric Power Quality” - IEEE-1100, “Recommended Practice for Powering and Grounding Electronic Equipment IEEE Emerald Book.”
The environmental conditions in which I&C equipment must operate or which can affect the proper or continued operation of I&C equipment shall be clearly identified and considered in I&C design and equipment selection. Normal ambient, abnormal operating, climatic and event conditions shall be evaluated in the identification of applicable environmental conditions. Guidance: The environmental factors that should be considered when selecting equipment location or equipment for a location include, but are not limited to, the following:
1. Temperature and/or Humidity Extremes
2. Barometric Pressure Variations
3. Airflow
4. Corrosive Atmospheres
5. Area Flooding
6. Acoustic Noise
7. Electronic Noise, or Electromagnetic Interference (EMI)
8. Power Supply Quality (electrical surges, frequency variations, etc.)
9. Grounding
10. Lighting
11. Lightning Protection
12. Physical Security
13. Vibration
14. Interference from Large Motors and Power Feeders
15. Chemical and Particulate (dust) Contamination
16. Radiation
17. Elevation above sea level
A. The I&C equipment that is required to meet performance specifications may necessitate a specific type of environment, or in other cases, the environment may limit the choice of equipment. Where I&C equipment cannot be found that will provide the required performance in the environmental conditions present, equivalent alternate method shall be provided such as heated, cooled, waterproof, corrosion protective and similar enclosures. For enclosures or other environment protective devices, their effect on equipment performance, ability to test, and effect on calibrations shall be evaluated.
B. All environmental restrictions imposed by the manufacturer of the equipment shall be met. If several types of equipment are to be located within the same environment, the environment must satisfy the most restrictive of all the equipment specifications.
Guidance: In extreme cases, the equipment climate may require very close control over all environmental aspects. In some instances, sensitive equipment may be placed in a sealed enclosure, so that only a relatively small volume would need to be protected. The more rugged equipment, such as programmable controllers, industrialized PCs, or MIL-
Spec equipment, can usually be installed and maintained under the existing ambient conditions. Hazardous areas may necessitate the use of intrinsically safe equipment, explosion-proof enclosures, sealing and purging, etc.
C. If I&C equipment is to be located in Class I, Divisions 1 and 2; Class II, Divisions 1 and 2; or Class III, Divisions 1 and 2 locations, where fire or explosion hazards may exist due to flammable gases or vapors, flammable liquids, combustible dust, or ignitable fibers, then the requirements of NFPA 70 (NEC) – Articles 500 through 504 shall be met.
Guidance: ANSI/ISA-RP12.06.01, “Wiring Practices for Hazardous (Classified) Location Instrumentation – Part 1: Intrinsic Safety”, provides guidance in the design, installation, and maintenance of intrinsically safe I&C systems for hazardous (classified) locations. This recommended practice should be used in conjunction with the requirements of Article 504 of the NEC.
7.2 Specific Requirements
A. Temperature: The temperatures to which I&C equipment may be exposed in the application shall be clearly identified. The temperatures of concern shall be evaluated against the specified operational temperature requirements for the selected equipment to ensure compatibility. If equipment selection is not conducive to the given temperature conditions, alternate measures shall be taken, such as the use of the temperature-controlled enclosures.
Guidance: The temperature of concern is the temperature of the medium (whether air or liquid) which affects or cools the equipment. In regard to fan-cooled equipment, the temperature of concern is that of the air entering the equipment. Operational temperature requirements for equipment are normally well defined in the manufacturer’s literature. Two separate temperature ranges are typically specified, one for when the equipment is in operation and another for when the equipment is powered-down, shipped, or in storage. Operating temperatures may also be specified as ambient, which refers to the surrounding temperature, and process, which refers to the process media being measured. The manufacturer’s equipment specifications may also include a maximum allowable rate of change of temperature, given in degrees per hour.
B. Airflow: The design and control of airflow systems shall consider both equipment locations and normal airflow patterns.
Guidance: Airflow in fan-cooled and convection-cooled equipment is generally vertical through the enclosure and can be from either the bottom or top. For rooms containing equipment with downward airflow, the air supply should be overhead and the return plenum should be low or in the floor. If a raised floor is in place, the space under the floor may provide the return plenum. For upward airflow, the use of the sub floor space as a supply plenum should consider the additional design considerations and continuing maintenance to prevent the infiltration and accumulation of dust, dirt, and moisture under the floor.
C. Relative Humidity: The selection of equipment shall consider the relative humidity to which I&C equipment may be exposed in the application. If necessary, the design shall incorporate the use of humidity control equipment to assure operation within the defined limits for the selected equipment.
Guidance: The operating relative humidity requirement for equipment is normally well defined in the manufacturer’s literature and typically given as an operating range and a maximum time rate of change. Limitations may be given for shipping and storage as well as for operation. Typically, the desired operating range is about 40 – 60 percent. Low relative humidity (less than 30 – 40 percent) can result in system errors or shutdowns due to generation of static electricity. At LANL, this is addressed with proper grounding rather than humidification. High relative humidity can lead to condensation.
D. Particulate Contamination: The presence of particulate matter (dust or dirt) shall be considered for its effect on I&C equipment.
Guidance: Dust, grit, and sand present at the inlet of process media sensing devices can prevent the equipment from performing its function. Dust build-up decreases the ability of electrical components to shed their heat, which decreases longevity. In fan-cooled equipment, the accumulation of dust on filter media will reduce airflow and cause overheating. If the dust is conductive, it can cause faults: if nonconductive, it can infiltrate and insulate switches and contacts. Careful, meticulous sealing of all equipment enclosure openings will reduce contaminant infiltration.
E. Chemical Contamination: Consideration shall be given to potential chemical contamination and corrective action shall be taken to limit any potential contamination below levels that could adversely affect equipment performance.
Guidance: Certain chemicals, including sulfur dioxide, oxides of nitrogen, hydrogen sulfide, and ammonia, are known to affect electronic equipment at concentrations safe for human occupancy. Most corrosion processes accelerate rapidly at increased temperatures or humidity level (or both). Some maximum allowable levels recommended by equipment manufacturers are below levels that can be readily measured.
F. Vibration and Shock: The proposed location of I&C equipment shall be evaluated for potential sources of vibration and shock, such as nearby heavy rotating or stamping equipment or heavy mobile traffic. Consideration shall be given to potential vibration and shock sources when mounting I&C equipment to assure operation within the equipment manufacturer’s defined limits.
Guidance: Continuous vibration can cause slow degradation of contacts and any mechanical parts. Shock can instantaneously change an instrument adjustment, as well as cause effects similar to vibration. It is usually more practical to relocate equipment or to apply controls at the vibrating equipment than to try to isolate the equipment from the vibration.
G. Power Line Conditioning and Backup: The equipment manufacturer’s power requirements shall be met. In many cases, meeting these requirements involves more than just supplying the appropriate voltage and ampacity ratings. Frequently a special type of receptacle is required, which is usually well defined in the manufacturer’s literature. Transient Suppressors may be required depending on the type of device. Tolerance to voltage transients and brownouts are also typically defined in the manufacturer’s literature. ANSI standards permit user line voltage to be as much as 11.7 percent below nominal. Brownouts may cause additional voltage reductions of 3 to 10
percent. These reductions may severely disrupt equipment operations and may necessitate the need for power conditioning and/or backup power supplies.
Guidance: Certain critical systems should be able to operate through a power dip or an extended power outage; these should be provided with a backup power supply. For less critical systems, a packaged power conditioning system should be considered.
H. Electromagnetic Interference (EMI): The proposed location of I&C equipment shall be evaluated for potential sources of EMI and consideration shall be given to its effect on the operation of the equipment. EMI results from electromagnetic emissions generated by and coupled to equipment or systems (or both).
Guidance: Common EMI sources include thunderstorms, high voltage power lines, power tools and manufacturing machines, relays, contactors, motors, vehicle ignitions, and arc welders. Isolation, shielding, and grounding may be required to prevent expected problems.
I. Radio Frequency Interference (RFI): The proposed location of I&C equipment shall be evaluated for potential sources of RFI and consideration shall be given to its effect on the operation of the equipment. RFI results from electromagnetic fields generated by communication and electronic equipment.
Guidance: Common RFI sources include hand held radio transmitters, cell phones, proximity to radio or television disks or towers, and proximity to communication relay disks or towers. Generally, RF fields within the facility should not exceed 0.5 v/m. Not more than 1V RMS, in the frequency range of 10kHz to 3 MHz, should exist on the ac connection points to the system. Isolation, shielding, and grounding may be required to prevent expected problems.
J. Static Electricity: The potential for static electricity problems shall be determined and if present, prevented or corrected.
Guidance: Static electricity can have a significant effect on digital equipment and equipment connected to explosive applications or in explosive environments. The catastrophic effect is the breakdown and permanent damage of semiconductor devices. The transient effect is the introduction of extraneous logic signals or voltages induced on ground or signal wiring, which can result in operational error.
8.0 COMPUTER/CONTROL & DATA PROCESSING SYSTEMS AND EQUIPMENT (P & F)
8.1 General
A. The requirements and guidance identified within Section 7.0, Environmental Considerations, are applicable to computer/control and data processing systems and equipment. The following is provided as a supplement25 to Section 7.0 to specifically highlight the needs of digital and computer-based systems. When selecting a location for
25 Section 8 is applicable to those systems defined in section 7.0, Guidance for all other systems
this type equipment, the environmental factors identified within this section shall be addressed26.
Guidance: The following represents input and/or guidance in addition to that identified within Subsection 7.0, Environmental Qualification, for control/computer room design, equipment location, and equipment installation:
1. Temperature: Although cooler temperatures are preferable for computers, operation near the center of the defined range is recommended to strike a balance between individual comfort, energy efficiency and computer operation.
2. Temperature: For rotating media storage (e.g., disk drives), the manufacturer typically gives a maximum allowable rate of temperature change. In such equipment, the disk and drive mechanism should be kept at the same operating temperature and rapid temperature transients should be avoided. This is true for most all I&C signal processing equipment.
3. Relative Humidity: Magnetic storage media should not be contained within areas that could experience rapid changes in relative humidity. The manufacturer of such equipment typically identifies the maximum allowable time rate of change.
4. Particulate and Chemical Contamination: Computer/control and data processing equipment, especially moving magnetic storage devices (disk drives and tapes), is typically sensitive to damage caused by contaminant infiltration. Filter replacement and dust or particulate removal should be performed regularly in all computer equipment cabinets as part of a preventative maintenance program. General cleanliness and good housekeeping practices should be enforced. Equipment and partitions should be arranged to minimize the number of times doors are opened. The use of the room as a thoroughfare should be prohibited. In some installations, a remote console will solve contaminant infiltration problems.
5. Vibration: Careful attention should be given to potential sources of vibration when selecting a location for disk drives, which are particularly sensitive to vibration effects.
6. Electrical Power: Design provisions or operating procedures (or both) should be established to prevent vacuum cleaner or similar motor driven equipment from being powered from the computer power conditioning system. Refer to ESM, Chapter 7 requirements for isolated ground power for computer and instrumentation loads. A disconnecting means should be provided to disconnect the power to all electronic equipment in a data processing room. This disconnecting device should be controlled from locations readily accessible to the operator at the principal exit doors. There should also be a similar device to disconnect the HVAC system servicing the area. Article 645 of the National Electrical Code provides specific requirements for the electrical wiring associated with computer systems.
7. Interference: A computer and peripherals can erroneously interpret radiated energy from EMI or RFI sources as data or control signals. The result can appear as I/O problems, analog to digital conversion inaccuracies, or outright processor failures. The random nature of the interference makes failure diagnosis difficult. Computer/control and data processing equipment should be located away from
26 Required Standard IEEE Std 7-4.3.2 provides other requirements for Digital Computer used in Safety Systems
sources of EMI or RFI. When this is not practical, it may be necessary to enclose vulnerable computer components within an RFI-shielded enclosure or area.
B. Work with the ESM Chapter 8 POC to implement and maintain risk-based cyber security controls.27
8.2 Computer/Control Rooms
A. The following items shall be addressed in the design of computer/control rooms:28
1. Proper space allocation for computer equipment, consoles, servers, storage area (for manual, documents, listings, maintenance equipment, etc.), environmental conditioning equipment (air and electrical power conditioning), fire protection equipment, and power distribution.
2. Room accessibility for both operating and maintenance personnel. Guidance: The addition of interior windows, where appropriate, can reduce unnecessary traffic (e.g., room security, safety of personnel, etc. can be observed without entering the room).
3. Space allocation for any potential expansion.
4. Suitable access and easy loading areas for equipment.
5. Adequate and convenient wire paths for installing signal, data, process control, safety, and associated power wiring to and from the computing systems. Guidance: An overhead cable tray system provides the most convenient method for the installation of computer room wiring. Unrelated services, such as power conductors, water and steam piping, etc., should not be installed in the computer room or its included spaces and specifically should not be present overhead of data processing equipment or computer/control rooms. If unrelated services must be installed, the design should incorporate appropriate measures to protect the computer equipment.
6. Data handling and analysis area. This is normally a small area for a conference table and chairs where computer printouts and reports may be laid out for analysis.
7. Emergency lights, fire doors, power and air handling interlocks, etc.
8. Radio-frequency interference (RFI) and electromagnetic interference (EMI) shielding, if required.
9. Fire codes and requirements.
10. Telephone and intercommunication systems.
11. Adequate and proper lighting. Guidance: Two levels of lighting may be necessary; one for normal operation and one for maintenance. The Illuminating Engineering Society (IES) Lighting Handbook includes both quantitative and qualitative design
27 Recommended areas to address, per the “Cybersecurity Procurement Language for Energy Delivery Systems” include: software and services, access control, account management, session management, authentication/ password policy and management, logging and auditing, communication restrictions, malware detection and protection, heartbeat signals, reliability and adherence to standards. Cyber security issues must be considered when implementing computer-based control systems during all phases of a project. Consider the application of such standards as ISA 99 and the inclusion of LANL experts when addressing cyber security implementation. 28 From NRC NUREG-0700, “Human-System Interface Design Review Guidelines,” and IEEE-1023, “IEEE Guide for the Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations”
data for various lighting needs. Where Computer Display Screens are in use, glare and reflection should be eliminated, so indirect lighting should be used where possible. Dimmer switches are sometimes used to reduce glare. Note, however, that SCR dimmer controls can be a source of RFI and should be avoided.
B. The computer/control room design, location, and access points shall be evaluated for the potential presence or introduction of contaminants through materials of construction, ventilation systems, transfer from adjacent areas or from workers and visitors. Any potential source of contamination that would affect the proper operation or reliability of the equipment shall be prevented by design, protective measures, or administrative procedures.29
Guidance: The following should be taken into consideration to prevent the presence or introduction of contaminates within a computer/control room:
1. Only materials that do not produce contaminants should be used in control/computer room construction. Sprayed-on acoustical ceiling and mineral-based drooped ceiling tiles should be avoided because they tend to flake. Glass fiber tiles that produce abrasive particles and floor covering that tend to crack or crumble should be avoided. Also, carpets should be of a quality that minimizes the release fibers and particulate. All exposed concrete should be sealed.
2. Specially treated (impregnated) mats should be placed at each entrance to reduce the amount of dust tracked in by personnel.
3. The use of a computer/control room as a gathering place should be avoided. However, the room may need to be used as a rally point for personnel in the event of a fire, explosion, or fume release. In such cases, provisions necessary for employee protection as well as for equipment protection should be considered.
4. All floor or other cable trays should be capable of being kept clean and free of dirt, grit, or debris.
5. Maintaining the computer/control room at a positive pressure may be considered as a means of preventing the entry of contaminates. In this application, special attention must be given to the quality of the inlet air and its source.
C. The potential for static electricity in computer/control rooms shall be eliminated to the maximum extent possible in room design and equipment location. Where a potential may exist for the generation of static electricity that could be detrimental to equipment operation, measures shall be taken to minimize the potential for static electricity generation. This may take the form of material and equipment prohibitions, temperature and humidity control, grounding methods, etc.30
Guidance: The following should be taken into consideration to prevent static electricity in computer/control rooms:
1. For control of static electricity, carpet is not the preferred floor covering for computer/control rooms. If carpet is used, steps should be taken to reduce static
29 Established from NRC NUREG-0700, “Human-System Interface Design Review Guidelines,” Section 13.1.5 – Protecting Equipment and Components from Hazards 30 Established from NUREG-0700, “Human-System Interface Design Review Guidelines,” Section 13.1.5 – Protecting Equipment and Components from Hazards
buildup. Certain carpets are given anti-static properties by the incorporation of metallic fibers during manufacture or treatment with anti-static agents. Anti-static sprays are available for use on existing carpet. Wax buildup on tile floors also increases surface resistivity and leads to static problems. The remedy is to forego waxing or to use a wax formulated for high conductivity.
2. Furniture in the vicinity of digital equipment should be chosen carefully. Seat covers of plastic are normally more likely to generate static charges than cloth covers. Wheels and casters should contain conductive material and should be lubricated with graphite or conductive grease. Rubber or plastic feet should be avoided.
3. Storage space may be required for operating supplies and storage media, spare parts and components, and backup software. These items may need protection from static electricity buildup both in storage and when handled. The manufacturer’s recommendations for both the use and storage of these items should be followed.
4. Personnel grounding straps and insulating footpads may be necessary for especially sensitive processes or operations. Equipment sensitivity of this nature should be identified in design and operation documentation.
D. Guidance: Locating a computer/control room in an area subject to flooding should be avoided. Where this is not realistic for all possible conditions and flooding is possible, alternative measures should be taken, such as constructing a raised floor for the computer/control room. For raised-floor computer/control rooms, the installation of an alarm system initiated by water detectors located under the raised flow should be considered.
9.0 COLOR CONVENTIONS FOR PROCESS DISPLAYS31 (P & F) A. Within a given facility, color conventions for process displays shall be consistent, simple,
and unambiguous.
B. Color coding shall be redundant with some other display feature (e.g., text, symbol, shape, size, intensity, or inverse video) such that all necessary information is available on a monochromatic display or printout, or when viewed by a user with color vision impairment.
C. The color conventions given in Table 8-332 shall be used for process displays.33 Guidance: Color identified in the last column as “Contrasts Well With” are recommendations, not requirements. However, color combinations should be carefully selected to ensure good contrast (e.g., do not use red characters on a green background).
31 Taken from SRS Engineering Standards Manual WSRC-TM-95-1, “Color Conventions for Process Displays,” in accordance with ANSI / ISA 5.5-1985, “Graphic Symbols for Process Displays” 32 Does not apply to standard BASs (ML-3 and 4); use vendor standard graphics packages using vendor standard colors. 33 The color convention table is taken from NRC NUREG-0700, 1997, Rev. 2, Table 1.4, “Guidelines for Control Room Design Reviews,” and ANSI/ISA 5.5-1985, “Graphic Symbols for Process Displays.”
D. When using the colors red and green in a HMI, clarify the meaning on the display by providing clarifying text next to the indicator. In any given HMI system, the use of colors shall be consistent throughout all displays. 34
Table 8-3 Color Conventions for Process Displays
Color Generic Meaning
Associated Meanings Attention Getting Value
Contrasts Well With
Red Unsafe Emergency Danger High Priority Alarm Closed / Off / Stopped (inactive) Closed / On / Flowing (electrical power distribution)
Good White
Yellow Caution Hazard Second Priority Alarm Abnormal State
Good Black Dark Blue
Green Safe Safe Satisfactory Open / On / Flowing (active) Open / Off / Stopped (electrical power distribution)
Poor White
Light Blue (cyan)
Static and Significant
Equipment in Service Major Labels
Poor Black
Dark Blue Non-Essential Equipment in Standby Labels, Tags
White Dynamic Data Measurement and State Information System Messages Trend Active Sequence Step
Poor Black Green Dark Blue Magenta Red
Black Background Poor White Yellow Light Blue
D. For ML-2/Safety Significant or ML-1/Safety Class structures, systems and components, a review shall be conducted during the design process for proper application of color and shape conventions from a human factors perspective.
E. Guidance: The number of colors used for coding should be kept to the minimum needed for providing sufficient information (usually no more than eight colors). Decorative use of color should be eliminated.
34 This has been a longstanding issue at LANL. The use of red and green indicators at existing LANL facilities is inconsistent. Red is used for running (on) indicators at most MCCs, but is used for stop in other applications. Changing color codes on all systems to be constant is an impossible task. This requirement is the best possible solution without the need to change existing systems while still providing a consistent, understandable display for users.
F. Guidance: Highly saturated colors should be used for coding to provide good contrast from each other and their backgrounds.
G. Guidance: Gradual changes in color intensity should not be used to indicate relative values of variables.
H. Guidance: Flashing or audible indications should be included when display items require immediate operator attention, such as alarms.
10.0 GROUNDING PRACTICES (P&F) A. Grounding systems for I&C and Computer/Data Processing systems and equipment shall
be provided to minimize damage to equipment, interference with equipment operation or signal processing, and shock or other electrical hazards to personnel. Federal Information Processing (FIPS) Pub 94 provides a guide, checklist and evaluation criteria for specifying power and related grounding and life-safety requirements for the design, installation, and operation of Automatic Data Processing (ADP) systems. This standard shall be used in conjunction with the mandatory power-grounding requirements of NFPA 70 (Article 250), IEEE 142, IEEE 1100, and IEEE 1050.
Guidance: Grounding systems should be designed to meet the following major goals: 1. Provide for personnel and equipment protection and life-safety required by various
regulatory agencies.
2. Maintain all equipment and circuits at the same reference ground potential.
3. Provide a safe, high ampacity fault return path for those power distribution systems that have the source or generating system referenced to ground.
4. Maintain a low inductive loop area between the power distribution system and the fault return path for equipment that has a potential for high fault currents.
5. Provide a low impedance leakage path for any static charge that may accumulate on equipment.
6. Provide a low impedance discharge path for energy storage devices such as capacitors and inductors that are installed for the suppression of high voltage transients or electrical noise.
7. Minimize noise interference in instrumentation systems by providing common reference planes of low relative impedance between devices, circuits, and systems.
8. Assure that all ground system conductors that must carry high frequency signals (greater than 10 kHz) are selected for low inductance characteristics. At 1 Megahertz, the impedance of an average length ground conductor is around 4,000 ohms.
B. Conductive enclosures that contain I&C and computer/data processing system components shall be appropriately connected to ground to ensure that shock hazard risks are minimized for personnel.35
35 Established from NFPA 70, Article 250 – Grounding, Section 250.4 and IEEE 1050, “Guide for Instrumentation and Control Equipment Grounding in Generating Stations,” Section 5.0 – I&C System Grounding
Guidance: The connection should provide a low resistance path to ground for any fault currents that may be produced by mechanical failures, insulation failures, component failures, accidents, etc. Low resistance paths to ground maintain low potential differences between metal components and reduce the chances of a fault-induced current flowing through personnel in contact with system components. Grounding is especially important in an environment where conductive elements may be present in the flooring, piping, ductwork, or other equipment.
C. The grounding of I&C and computer/data processing systems shall provide protection against self or adjacent equipment generated or induced electrical noise.
Guidance: The following information provides insight on potential sources of electrical noise, its effects on I&C and/or computer/data processing systems, and the application of proper corrective grounding techniques:
1. Computer/control and data processing systems utilize high speed, low level switched signals for operation. At the high frequencies at which these systems operate, electrical noise will propagate, traveling between two conductors or between an insulated ground conductor and other grounds or metallic components in the area. It is important that the system ground be connected in such a way that it does not act as part of a transmission line to couple noise into the computer system. This can be avoided by keeping this ground very short, tying directly to the reference ground plane or ground node, or by insuring that only one conductor is connected to the system and all other signals enter on fiber optics.
2. Noise can be avoided by segregating equipment that generates electrical noise from computer circuitry. Relatively small amounts of high frequency electrical noise can disrupt computer operation and cause downtime, loss of function, or spurious equipment operations.
3. When using LAN’s, such as Ethernet, and low frequency noise is encountered, the loop may be broken by installing ground isolation devices in the communication network at each node. The ground isolation device will appear as a high pass filter inserted in the communication link. Ensure ground isolation of the communications network at each node.
4. All connections in signal cable should consider possible noise coupling points and should be made carefully with special consideration given to the shield connection. Anytime the shield of a coax cable is broken a coupling path is created for high frequency noise from the outside environment to enter the inside environment of the coax cable shield.
5. The biggest contributor to signal inaccuracy is noise injected into input/output signals. The best way to minimize this noise is through proper grounding and wiring methods of the I/O signal hook-up. IEEE Standard 1050 should be used as a reference on shielding and grounding for instrumentation cables.
D. For control and computer/data processing communications protocols that utilize non-isolated systems to transfer data (RS232, RS422, RS423, etc.), the Data Terminal and Communication equipment shall be powered and grounded by the same source as the device providing the signal to prevent ground loops. Peripherals connected to optically
isolated communications can be grounded to any grounding system of adequate integrity.36
E. Facility grounding systems shall be evaluated to ensure the system is adequate for the applicable I&C and/or computer/data processing system and equipment.37
Guidance: Large inductive electrical loads cause electrical noise on all conductors in the vicinity and a typical facility ground may have loops that will pick up very large noise voltages. The inadvertent connection of a computer system across such a loop may couple large noise signals into the computer system. To avoid the inadvertent second connection to facility ground, it may be preferable to run a separate ground node for the computer system. This ground node should still tie to the facility ground at a single point for safety reasons. The facility ground system should be evaluated to determine if the network impedance is suitable for a proper ground system. If it is not, then it will be necessary to install a new ground system network that is connected to earth at the same point as the facility ground. Grounding methods should be in accordance with IEEE Standard 142, which complements the NEC.
F. For I&C and computer/data processing distributed systems, grounding conductor runs over 250 feet shall be avoided. If conductor runs over 250 feet are necessary, a new single point ground node shall be created for all equipment that is located within the 250 foot run limit and connected to the single point earth ground for the facility/system.38
Guidance: It is possible to treat different system nodes as essentially separate systems as far as grounding is concerned. This adheres to the distributed ground concept in IEEE 1050. Every effort should be made to ground equipment that may communicate in any way to the same earth ground. If more than one piece of equipment is tied to separate earth grounds, the earth currents will create a potential difference between the equipment. A lightning strike or power fault in the vicinity can create hazardous potentials between earth grounds. When distances from a system or equipment to the nearest node become excessive, a new node should be created.
Note: As the frequency increases, the impedance of the ground conductor increases. At 10 Megahertz, the impedance of a typical ground conductor may be in the order of 40,000 ohms and will no longer serve the purpose of providing a common reference point. Where high frequency grounds or connections are required, conductor shape and length must be selected for low inductance (impedance).
G. Guidance: The codes, standards and guidelines identified in this section provide grounding practices that should be consistent with most equipment manufacturer requirements. However, these codes, standards and guidelines should be used in
36 Established from IEEE 1100, “IEEE Recommended Practice for Powering and Grounding Electronic Equipment,” Chapter 9 – Telecommunications and Distributed Computing, Section 9.11.2 – Grounding. 37 The requirement is deemed “Good Engineering Practice” and is established to ensure that the integrity of the facility grounding system is adequate for proper system operation. An inspection is considered necessary to ensure compliance with NFPA 70. 38 The requirement is established to preclude the installation of a ground conductor that would not provide an effective low-impedance current signal reference. Refer to IEEE 1050, “Guide for Instrumentation and Control Equipment Grounding in Generating Stations,” Section 5.2.2 – Ground Conductor Lengths. For Single-point grounding refer to IEEE 1100, “IEEE Recommended Practice for Power and Grounding Electronic Equipment,” Chapter 8 – Grounding Consideration, Section 8.5.4.5 – Single-point and Multi-point Grounding.
conjunction with the manufacturer’s computer control and data processing systems grounding recommendations. The manufacturer’s grounding specifications should be reviewed for consistency with relevant standards and industry practices. Grounding schemes requiring a dedicated ground conductor routed separately to special earth points would not be acceptable. The I&C and/or computer/data processing system design and installation should be in compliance with the applicable portions of the National Electric Code. Safety takes precedence over potentially conflicting considerations.
11.0 PROCESS CONTROL AND AUTOMATION A. Comply with the following LANL Master Specification sections when issued. Guidance:
Drafts may be available from the I&C Chapter POC for voluntary use.
40 9000, Instrumentation and Control for Process Systems 40 9119.29, Liquid Pressure Process Measurement Devices 40 9119.36, Temperature Process Measurement Devices 40 9123.33, Flow Process Measurement Devices 40 9123.36, Level Process Measurement Devices 40 9200, Primary Control Devices 40 9213.13, Electrically Operated Primary Control Valves 40 9213.19, Pneumatically Operated Primary Control Valves 40 9413.13, Host Process Control Computers 40 9433, Human Machine Interfaces 40 9443, Programmable Logic Controllers 40 9513, Process Control Panels 40 9573, Process Control Wiring
12.0 ADDITIONAL REQUIREMENTS FOR NUCLEAR-SAFETY-RELATED SYSTEMS (P & F) Note: Refer to Section 2.0 for the definition of safety-related systems.
12.1 General
A. The codes and standards identified within the Table 8-2 above are the minimum set of codes and standards that shall be applied to satisfy the requirements of DOE O 420.1C regarding safety-related instrumentation and control systems. Alternative methods can be used only if the requirements of this section are satisfied as determined by independent review and a variance is granted in accordance with ESM Chapter 1 Section Z10. Any implementation methods selected must be justified and documented to ensure that an adequate level of safety commensurate with the identified hazards is achieved.39
B. Deferred design: Safety related ML-1 and 2 (SC and SS) systems cannot be done as a deferred design; justification must be provided, and Ch 8 POC approval given, to allow this type of control system design to be done as such.40
C. Emergency features shall be provided to include alarms and monitors that alert workers and the public to the existence of unsafe conditions and to record the sequence and severity of an accident.41
D. Alarms for loss of ventilation or differential pressure shall be provided on primary confinement systems (gloveboxes or hoods).42 Guidance: Alarms for loss of ventilation or differential pressure should also be considered on secondary confinement systems (rooms).
E. The requirements from 29 CFR 1910, Subpart Z, shall be addressed for monitoring and alarms systems for facilities that manage or use specific hazardous materials.43
F. Alarms shall be provided to annunciate in the event concentrations of radioactive or hazardous materials above specified limit are detected in an effluent stream.44
G. Adequate instrumentation and controls must be provided to assess system performance and to allow the necessary control of system operation.45
H. Emergency evacuation annunciation systems and general communication systems shall be installed per ESM Chapter 7 Electrical and the applicable NFPA codes and standards listed in DOE-STD-1066. Installation requirements for transmission of alarm conditions to building occupants should be considered public mode systems and address topics such as: protection of circuits; minimum audibility requirements above background noise; voice intelligibility; and visual signals, including minimum light intensities.46
I. The safety functions of instrumentation, control, and alarm systems shall:47
1. Provide information on out-of-tolerance conditions/abnormal conditions
2. Ensure the capability for manual or automatic actuation of safety systems and components
3. Ensure safety systems have the means to achieve and maintain a fail-safe shutdown condition on demand under normal and abnormal conditions, actuate alarms to reduce public or site-personnel risk, and inform operators of safety actions required and completed (e.g., effluent monitoring components and system).
J. The design of safety-related instrumentation and control systems must incorporate sufficient independence, redundancy, diversity, and separation to ensure that all safety-related functions associated with such equipment can be performed under postulated
40 Normally must be integrated with many other systems/disciplines/safety basis requirements 41 From DOE G 420.1-1A, 5.4.15 Design of Instrumentation, Controls, and Alarm Systems 42 From DOE G 420.1-1A, 5.4.3 Design for Radiation Protection and Contamination Control 43 From DOE G 420.1-1A, 5.4.5 Design for Non-Radioactive, Hazardous Material Protection 44 From DOE G 420.1-1A, 5.4.6 Design for Effluent Monitoring and Control 45 Ibid 46 From DOE G 420.1-1A, 5.4.8 Design for Emergency Preparedness and Emergency Communications 47 From DOE G 420.1-1A, 5.4.15 Design of Instrumentation, Controls, and Alarm Systems
accident conditions as identified in the safety analysis. Under all circumstances, ML-1/safety-class instrumentation, controls, and alarms must be designed so that failure of non-safety equipment will not prevent the former from performing their safety functions.48 Guidance: Safety-significant components should be evaluated as to the need for redundancy on a case-by-case basis.
K. Safety-related instrumentation and alarm-system designs must ensure accessibility for inspection, maintenance, calibration, repair, or replacement.49
L. Safety-related instrumentation, control, and alarm systems must provide the operators sufficient time, information, and control capabilities to perform the following safety functions:50
1. Readily determine the status of critical facility parameters to ensure compliance with the limits specified in the Technical Safety Requirements.
2. Initiate and verify completion of manual safety functions or verify automatic action is initiated and completed.
3. Determine the status of safety systems required to ensure proper prevention of the accident or mitigation of the consequences of postulated accident conditions and/or to safely shut down the facility.
M. Safety-related ventilation system designs must provide manual or automatic protective control features as needed to prevent or mitigate an uncontrolled release of radioactive and/or hazardous material to the environment and to minimize the spread of contamination within the facility. Also, inclusion of adequate instrumentation to monitor and assess performance with necessary alarms for annunciation of abnormal or unacceptable operation is required.51
N. Attachment E, Alarm Management Guidance shall be considered requirements for safety related instrumentation systems. However, the I&C POC shall have authority to grant variance to these requirements.
O. Guidance: The preferred method to prevent or mitigate a safety basis event is to provide automatic protective features with appropriate alarms to indicate the approach to actuation of the automatic feature and monitoring devices to provide accurate indication of the sensed parameter value, etc.
P. ML levels and SS and SC are discussed in AP-341-502, Management Level Determination and Identification of Quality Assurance and Maintenance Requirements.
48 Ibid 49 Ibid 50 Ibid 51 From DOE G 420.1-1A, 5.4.12 Design of Ventilation Systems
A. Installations shall conform to instrument location, installation and isometric (if provided) drawings. These documents shall establish the installation design requirements for ML-1 and/or Safety Class and ML-2 and/or Safety Significant instruments and their sensing lines, with regard to their safety function, postulated health hazard and their protection against failure.53
B. ML-1/Safety Class redundant instruments, instrument tubing, and piping (sensing lines) shall be routed and/or protected to withstand the credible effects both during and following design bases accidents for which the instruments/systems are required to perform.54
C. Separation of redundant ML-1/Safety Class or redundant (as determined by safety analysis) ML-2/Safety Significant instrument shall be achieved by the use of structures, distance, barriers, or any combination thereof. Any deviation from these methods of separation must be submitted to the I&C POC for approval.55
D. For technical requirements for safety-related tubing and piping systems, see ESM Chapter 6 and 17.
E. Redundant ML-1/Safety Class and redundant (as determined by safety analysis) ML-2/Safety Significant instrument sensing lines shall be routed and protected so that the failure of one redundant system will not disable equipment essential to the operation of the other redundant system(s). Sensing lines of one channel shall not crossover or come in contact with equipment of another redundant channel, whether it is in the same or another functional loop of another channel.56
F. When locating safety instruments on racks or in cabinets, care must be given to assure that no two redundant instruments are mounted on the same rack or in the same cabinet.57
G. Safety-related wiring, sensing lines, and mechanical signal lines shall not be routed where vibration, abnormal heat, or stress could affect performance.58
H. The minimum separation between instrument sensing lines of redundant channels shall be at least 46 cm (18 inches) in air in both horizontal and vertical directions in non-missile or jet impingement areas. The 46 cm (18 inches) minimum spacing required between the redundant channels shall be maintained from its starting point at the root valve to the vicinity of the instrument. If this separation is not possible, Engineering shall be consulted to determine if a suitable barrier should be used. A barrier may be equipment, structural steel shapes, building structures such as walls, ceilings, floors and shield walls.
52 Taken from SRS Engineering Manual WSRC-TM-95-58, “Mechanical Installation of Safety Class and Safety Significant Instrumentation,” for compliance with DOE Order 420.1A 53 IEEE 336, “IEEE Standard Installation, Inspection, and Testing Requirements for Power, Instrumentation, and Control Equipment at Nuclear Facilities” 54 IEEE 384, “IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits” 55 Ibid 56 Ibid 57 Ibid 58 ISA 67.02.01, “Nuclear Safety-Related Instrument Sensing Line Piping and Tubing Standard for Use in Nuclear Power Plants”
When a barrier is used, it shall extend at least 2.5 cm (1 inch) beyond the line of sight between the two redundant channel sensing lines. Where potential missiles can be identified, additional separation, barriers and/or missile shields may be necessary. Missile shields may be structural steel shapes such as plate, channel and angle, covered tray or pipe guards.59
I. Supports, brackets, clips or hangers shall not be fastened to the sensing lines or their supports for the purpose of supporting other equipment, cables, etc., without specific approval.60
J. Where instrument sensing lines of more than one channel of a redundant set penetrate a wall or floor, the redundant sensing lines shall be routed through separate penetrations and separated by a minimum distance of 46 cm (18 inches). If the use of separate penetrations is not feasible, approval is required to use a common penetration. The use of a common penetration may require the design of:61
1. A suitable barrier, such as a guard pipe, to protect instrument sensing lines in one channel or division from postulated effects of a failure of the other channels or divisions.
2. A missile shield, to be installed around the lines until a minimum separation distance of 46 cm (18 inches) is achieved between the different redundant sensing lines.
K. Instrumentation and sensing lines shall be easily identified and distinctly labeled as ML-1/Safety Class or ML-2/Safety Significant. Each instrument sensing line, as a minimum, shall be tagged at its process line root valve connection, at the instrument, and at any point in between where the sensing line passes through a wall or a floor (on both sides of such penetrations).62
L. Barriers used to protect instrumentation (as determined by safety analysis) shall be identified in the field, to prevent inadvertent degradation of this protection.63
M. To prevent the loss of both parts of a redundant set of instruments, separate process pipe connections with sufficient separation shall be used wherever possible.64
1. When a single process connection must be used, the system shall be designed for a “safe” trip action of the channel upon tap or sensing line breakage.
2. The single process connection shall be protected from credible sources of damage and separation of the redundant sensing lines shall be achieved as close as possible to the process connection.
59 ISA 67.01.01, “Transducer and Transmitter Installation for Nuclear Safety Applications” 60 ISA 67.02.01, “Nuclear Safety-Related Instrument Sensing Line Piping and Tubing Standard for Use in Nuclear Power Plants” 61 ISA 67.01.01, “Transducer and Transmitter Installation for Nuclear Safety Applications,” and ISA 67.02.01, “Nuclear Safety-Related Instrument Sensing Line Piping and Tubing Standard for Use in Nuclear Power Plants” 62 ISA 67.02.01, “Nuclear Safety-Related Instrument Sensing Line Piping and Tubing Standard for Use in Nuclear Power Plants” 63 ISA 67.01.01, “Transducer and Transmitter Installation for Nuclear Safety Applications” 64 ISA 67.02.01, “Nuclear Safety-Related Instrument Sensing Line Piping and Tubing Standard for Use in Nuclear Power Plants”
12.3 Application of ISA 84.00.01, Safety Instrumented Systems for the Process Industry Sector, to Safety Significant SSCs65
A. ANSI/ISA 84.00.01 shall be applied in the design, installation and testing of nuclear safety significant instrumented systems and non-nuclear instrumented systems as specified in DOE-STD-1195 and other subsections of this chapter. ISA 84.00.01 Section 1-y (for existing systems) is deleted. The code of record generally governs the design of modifications to existing facilities (except for “major mods”); when modifications or replacements are made the Design Authority determines whether to use the existing code of record or current codes and standards within the requirements of ESM ChaPTER 1 Section Z10.
B. LANL software requirements under P1040 shall be applicable in addition to ANSI/ISA 84.00.01 Section 12 “Requirements for application software, including selection criteria for utility software”. If conflicts exist between LANL documents and ANSI/ISA 84.00.01, refer to the ESM Chapter 8 POC for clarifications.
C. ISA 84.00.01, Section 14 “SIS installation and commissioning” shall be implemented using LANL policies and procedures for the subject areas of Installation, Commissioning and Pre-Startup acceptance test.
D. The application of DOE STD-1195 requires the determination of Independent Protection Layers (IPLs) in order to determine the required SIL (Safety Integrity Level) for the SIS (Safety Instrumented System). A committee of stakeholders to include ES-EPD, the cognizant system engineer, Safety Basis, and the Design Agency shall be used to determine and evaluate IPLs and the resulting SIL for the SS control system.66
E. It is the Design Agency’s responsibility to provide a preliminary probability of failure on demand (PFD) calculation during the design phase of the project. The preliminary calculation shall be based on the design basis equipment selection and best information available during design. The calculation shall be complete and in acceptable format such that if design basis equipment is used in the project, that the calculation may be used, unaltered, as final documentation for the project.67
65 DOE –STD-1195-2011 provides details for the application of ANSI/ISA 84.00.01 to safety significant control systems. The previous clarifications provided by this section of ESM are now found in that standard and are no longer included in the chapter of the ESM. 66 Added because decisions about IPLs and SIL, although defined in 1195, cannot be made by the Design Agency without the required input from LANL 67 Supporting calculations for PFD must be completed during design phase. Failure to do this may result in a design that does not meet the required SIL level.
12.4 Application of ISA 84.00.01, Safety Instrumented Systems for the Process Industry Sector, to Safety Significant Alarm Systems68
Apply with the following limitations:
A. When the operator action taken when the alarm sounds does not bring the system to a safe state:
1. The analysis of the SIS’s capability to meet the PFD is ended at the alarm annunciation device activation.
2. The system shall be designed to a Safety Integrity Level of 1 (SIL-1). Guidance: A SIL-1 is used for this type of alarm system which is commensurate with the risk associated with an unmanned alarm.
3. The required time for the SIS to perform its function does not include the time for operator action. The time used to determine adequacy is from the initiating event to the actuation of the alarm annunciation device. Guidance: In many applications a Safety Significant alarm may not bring the system to a safe state or the required operator action may not be within the control of the operator or LANL. For example, an SS low fuel level alarm for an emergency generator can only notify the operator of the condition but cannot bring the system to a safe state (refueling of the generator). The refueling of the tank is not within the direct control of the operator or LANL as it may involve outside services (e.g., fuel truck, availability of fuel, availability of roads to deliver fuel, etc.). The ability to evaluate these outside services is not in the scope of the PFD and time requirements calculations.
B. When the operator action taken when the alarm sounds does bring the system to a safe state:
1. A specific administrative control (SAC) must be in place to address the operator’s actions.
2. Time for the operator to perform the required duty shall be evaluated using ANSI/ANS-58.8 and included in supporting calculations.
a. Where operation centers are unmanned during off hours, the time for the operator to perform the required duty shall not include the time no operator was in the operation center. Guidance: When calculating the SIS response time involving an unmanned operations center, the time between the alarm annunciation and the time the operator identifies the alarm condition shall be considered to be zero. If this is unacceptable an alternate control/alarm system is needed to address the condition during off hours.
68 Currently no code or standard directly defines the requirements for SS alarm systems. The principles provided in ANSI/ISA 84.00.01 provide a good basis to qualifying SS alarm systems.
12.5 Application of ANSI/ISA-67.04.01, Setpoints for Nuclear Safety-Related Instrumentation 69
A. When SS/SC control systems are designed, requiring application of ANSI/ISA-67.04.01,
it is the Design Agency’s responsibility to provide a preliminary setpoint calculation during the design phase of the project. The preliminary calculation shall be based on the design basis equipment selection and best information available during design. The calculation shall be complete and in acceptable format such that if design basis equipment is used in the project, that the calculation may be used, unaltered, as final documentation for the project. Guidance: The use of AP-341-613 – Instrument Set Point Control is one way to meet this requirement. When followed, this AP provides an ANSI/ISA-67.04.01-compliant calculation.
B. Should the project opt to use equipment other than the design basis equipment, it is the Design Agency’s responsibility to update the setpoint calculation to reflect the equipment actually used prior to close out of the project. Guidance: The setpoint calculation must be completed early in the design phase of a project to assure the selected equipment/system is capable of performing its task. Examples at LANL have shown that incorrect design resulted in systems that could not perform their function due to inadequacy in precision or long term drift issues. Providing a setpoint calculation during design validates the selected system ability to perform within the required tolerances
12.6 Application of IEEE 384, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits 70
Note: This material is based on the 1992 version of the standard. The current version (2008) may vary slightly from the 1992 version; consult ESM Chapter 8 POC if discrepancies arise.
A. IEEE 384 shall be used to satisfy the requirements of DOE O 420.1C unless an alternative method is justified in the Design Documents. The requirements of IEEE 384 shall71 be strictly applied to the design of SC/ML-1 instrumented systems and the associated interfaces unless a variance is granted in accordance to Chapter 1, Section Z10. The following constitute specific clarifications, modifications, substitutions, additions, or deletions to the identified sections of the standard, for use in LANL non-reactor facilities. Those not specifically referenced are deemed appropriate as written, except for word substitutions.
B. Word Substitutions:
1. “Control room” is substituted for “main control room” and/or “central control room” in IEEE 384, since a control room in a non-reactor facility serves the same function as the main control room in a nuclear power generating station.
69 Lessons learned on projects at LANL 70 Provides an interpretation of how IEEE 384, “IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits,” should be applied within DOE non-reactor facilities in order to implement DOE G 420.1-1 as a safe-harbor methodology for compliance with DOE O 420.1C. 71 Lessons learned from TA-18 ITMS Project [EM-Ref. 49]
2. “Emergency” is substituted for “Standby” in IEEE 384.
3. “Facility is substituted for “unit” and/or “station” in IEEE 384.
4. “Non-reactor facility” is substituted for “nuclear power generating station” in IEEE 384.
C. IEEE 384, Section 2 Purpose, is revised as follows to add DOE Order 420.1C:
“This standard establishes the guidance for implementation of the independence criteria of DOE Order 420.1C, IEEE 603, and IEEE Std 308-1991. In addition, this standard provides criteria for implementation of independence requirements for safe shutdown systems.”72
D. Guidance: IEEE 384-1992, Section 3 References, has a list of other standards that are to be used with IEEE 384-1992. All standards referenced by IEEE 384-1992 should be used only as information to be considered during the design of a facility or a project.
E. The following applies to IEEE 384, Section 4 Definitions:
1. The definition of “Class 1E” is deleted from the section.
2. The definition of “emergency power” is added as follows to replace “standby power”, since the term “standby power” as it applies to LANL non-reactor facilities is used to supply non-safety systems as described in NFPA 70, NFPA 110, and IEEE 446:
“The power supply that is provided to ML-1/Safety Class equipment and/or ML-1/Safety Class systems to allow them to maintain their safety functions during periods of partial or total failure of the preferred power system.”
3. The definition of “exposure fire” is added as follows from 10 CFR 50, Attachment R, to clarify the independence requirements for safety shutdown systems that have been added as criteria:
“A fire in a given area that involves either in situ or transient combustibles and is external to any structures, systems or components located in or adjacent to that same area. The effects of such fire (e.g., smoke, heat, or ignition) can adversely affect those structures, systems, or components important to safety.”
4. The definition of “safe shutdown” is added as follows to establish the meaning of safe shutdown for a non-reactor nuclear facility:
“Safe shutdown in a non-reactor nuclear facility is a shutdown of a process with (1) the reactivity (nuclear or chemical) of the process kept to a margin below criticality (prevent accidental nuclear criticality) consistent with the facility technical specifications, (2) systems, structures, and components necessary to maintain this condition operating within their design limits, and (3) components and systems necessary to keep offsite doses within prescribed limits operating properly.”
F. The following applies to IEEE 384, Section 5 General Independence Criteria:
1. The “Note” at the end of Section 5.5.2, Criteria (Associated Circuits), is revised as follows to delete the reference to unit generators:
72 Since the order defines the facility design criteria
“Preferred power supply circuits from the transmission network that become associated circuits solely by their connection to the ML-1/Safety Class distribution system input terminals are exempt from the requirements for associated circuits.”
2. The following sentence is added to Section 5.10.2, Fire, to provide a clarification of fire protection for ML-1/Safety Class systems to prevent the over design of ML-1/Safety Class systems that are not required for safe shutdown:
“ML-1/Safety Class systems, not located in fire hazard areas, used to mitigate the consequences of design basis events but not required for safe shutdown, may be lost to a single exposure fire.”
G. The following applies to IEEE 384, Section 6 Specific Separation Criteria:
1. The following Note is added to the end of Section 6.1.1.2, Minimum Separation Distances (Cable and Raceways). The reduced separation allowed by considering the identified types of cables as enclosed conduit for instrument and control cables has been approved and used in the commercial nuclear industry.
“Mineral Insulated (MI) and Aluminum Sheathed (ALS) cable can be considered as enclosed raceways for instrument and control cables only.”
2. The term “standby generating unit” is substituted with the term “emergency generating unit” wherever it is used in Section 6.2, Standby Power Supply, to stay consistent with the general substitution of “emergency” for “standby”.
H. The following represents additional content added to IEEE 384, Section 7.2, under the Heading, “Non-Safety Class Power Supplying ML-1/Safety Class Equipment”.
1. Electrical isolation of Non-Safety Class power circuits from ML-1/Safety Class components should be achieved by ML-1/Safety Class isolation devices applied to interconnections of the Non-Safety Class power circuits and the ML-1/Safety Class component/function (See Fig. 9 of IEEE 384).
2. Sections 7.1.2 and 7.2.2 of IEEE 384provide general information for protective devices for this particular type of interconnection.
However, for this interconnection a device is considered an electrical isolation device for power, and instrumentation and control circuits if it is applied so that (a) the maximum credible voltage or current transient applied to the device’s ML-1/Safety Class side will not degrade the operation of the circuit connected to the device’s non-safety side below an acceptable level; and (b) shorts, grounds, or open circuits occurring in the ML-1/Safety Class side will not degrade the circuit connected to the device’s non-safety side below an acceptable level.
The highest voltage to which the isolation device ML-1/Safety Class side is exposed should determine the minimum voltage level that the device should withstand across the ML-1/Safety Class side terminals, and between the ML-1/Safety Class side terminals and ground. Transient voltages that may appear in the ML-1/Safety Class and Non-Safety Class sides must also be considered.
The separation of the wiring at the input and output terminals of the isolation device may be less than 1 in (2.5 cm) as required in 6.6.2 of IEEE 384provided that it is not less than the distance between input and output terminals.
Minimum separation requirements do not apply for wiring and components within the isolation device; however, separation should be provided wherever practicable.
The capability of the device to perform its isolation function should be demonstrated by qualification test. The test should consider the levels and duration of the fault current on the ML-1/Safety Class side.
3. When the requirements of Items 1 and 2 above are met, the following devices may be used as acceptable isolation devices for instrumentation and control circuits: a. Amplifiers b. Control switches c. Current transformers d. Fiber optic couplers e. Photo-optical couplers f. Relays g. Transducers h. Power packs i. Circuit breakers j. Input current limiters
Note: In using contact-to-contact isolation, consideration should be given to the effect on independence that may occur from welding of contact.
4. When the requirements of Items 1 and 2 above are met, a fuse may be used as an isolation device (except between redundant divisions) if the following additional criteria are met. The requirements have been developed because of the methodology used to classify a component or a component’s function. A component may be classified as ML-1/Safety Class, but does not rely on electric power to perform its safety function. The electric power is present only for operational requirements. Therefore, the power may be obtained from a Non-Safety Class source if proper circuit protection is provided.
a. Fuses should provide the design overcurrent protection capability for the life of the fuse.
b. The fuse time-overcurrent trip characteristic for all circuit faults should cause the fuse to open prior to the initiation of an opening of any upstream interrupting device.
c. The power source should supply the necessary fault current to ensure the proper coordination without loss of function of other Non-Safety loads.
I. The following represents additional content added to IEEE 384, under the Section Heading, “ML-1/Safety Class Safe Shutdown Cables and Equipment”.
1. General: ML-1/Safety Class safe shutdown cables and equipment should comply with the requirements of previous sections of this document and the following additional requirements.
2. The independence of redundant ML-1/Safety Class safe shutdown cables and equipment should be maintained for a single postulated exposure fire.
3. A single exposure fire should be postulated in those areas of the facility which contain cables or equipment necessary to provide safe shutdown capability in the event of fire.
4. An exposure fire should be postulated to occur regardless of whether or not the area contains ignition sources or combustible materials.
5. Exposure fires should not be postulated concurrent with non-fire related failures in ML-1/Safety Class systems, design basis events, or natural phenomena (for example, earthquakes, tornado).
6. The independence of ML-1/Safety Class safe shutdown systems, structures, and components should be such that a single postulated exposure fire should not defeat the safe shutdown function.
7. Redundant ML-1/Safety Class cables and equipment required for safe shutdown should be located in different fire areas. The area boundaries should meet the requirements of Section 6.1.8.2 of IEEE 384.
8. When redundant safe shutdown cables and equipment are located within the same fire area, one of the following requirements must be met:
a. Redundant ML-1/Safety Class cables and equipment required for safe shutdown should be separated from each other by a 3-hour fire barrier. Structural steel forming a part of or supporting such fire barriers should be protected to provide fire resistance equivalent to that required of the barrier.
b. Separation of cables and equipment of redundant divisions by a horizontal distance of more than 20 feet with no intervening combustibles or fire hazards. In addition, fire detectors and an automatic fire suppression system should be installed in the fire area.
c. Enclosure of cables and equipment of one redundant division in a fire barrier having a 1-hour rating. In addition fire detectors and an automatic fire suppression system should be installed in the fire area.
12.7 Application of ANSI/ANS 58.8, Time Response Design Criteria for Safety-Related Operator Actions
This standard is written specifically for use in nuclear power plants. In order to apply this standard at LANL facilities the following substitutions must be made:
1. The term “nuclear power plants” shall be substituted with “nuclear facility(ies)”. The term “plant” shall be substituted with “facility”.
2. Section 1.3 (1) shall be replaced with “The facility has been designed to meet DOE specified codes and standards for safety significant and/or safety class requirements as applicable”.
3. Section 1.3 (4) shall be replaced with “The operators are qualified in accordance with LANL operator training qualifications and required site specific operator training”.
A. When evaluating plant conditions (PC), as defined in 2. Definitions, “Best Estimated Frequency of Occurrence (F) per Reactor Year”:
1. The term “Reactor Year” shall be interpreted as “Facility Operation Year”.
2. The frequency value shall be taken from the DSA, if provided, for the event.
B. This standard shall be applied when evaluating an SS SIS required response time, per ISA 84.00.01 (Section 10.3.1), when an operator response is required to bring the system to a safe state.
ATTACHMENTS: A. Instrumented Systems used in Safety Significant and Hazardous Processes Design Guidance B. Fail-Safe Design of Process Control Loops Guidance C. Instrumentation and Controls Design Review Guidance D. Installation and Calibration of Instruments Guidance E. Alarm Management Guidance F. Instrument Loop Diagrams Guidance G. Control Logic Diagrams Guidance H. Panel and Wiring Diagram Guidance I. Process Flow and Process & Instrumentation Diagram Requirements
